Feature/864 fix linting part 1 persistent credentials and GitHub action shas

.github/dependabot.yml

@@ -8,11 +8,15 @@ updates:
       interval: "weekly"
       day: "monday"
     open-pull-requests-limit: 4
+    cooldown:
+      default-days: 7
 
   # Maintain dependencies for poetry
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "monday"
-    open-pull-requests-limit: 4
+    open-pull-requests-limit: 4
+    cooldown:
+      default-days: 7

.github/workflows/fast-tests-extension.yml

@@ -13,6 +13,8 @@ jobs:
       - name: Check out Repository
         id: check-out-repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Set up Python & Poetry Environment
         id: set-up-python-and-poetry-environment
@@ -24,3 +26,21 @@ jobs:
       - name: Lint Imports
         id: lint-imports
         run: poetry run -- nox -s lint:import
+
+  # This will be moved to a standard check in the checks.yml in:
+  #  https://github.com/exasol/python-toolbox/issues/811
+  lint-github-actions:
+    name: Lint GitHub Actions
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out Repository
+        id: check-out-repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Lint GitHub actions with Zizmor
+        id: lint-github-actions
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false

.github/workflows/slow-checks.yml

@@ -26,6 +26,8 @@ jobs:
       - name: Check out Repository
         id: check-out-repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Set up Python & Poetry Environment
         id: set-up-python-and-poetry-environment

.github/zizmor.yml

@@ -0,0 +1,15 @@
+rules:
+  github-env:
+    disable: true
+  secrets-inherit:
+    disable: true
+  template-injection:
+    disable: true
+  unpinned-uses:
+    config:
+      policies:
+        "actions/*": ref-pin
+        exasol/python-toolbox/.github/actions/python-environment: ref-pin
+        "*": hash-pin
+  use-trusted-publishing:
+    disable: true

doc/changes/unreleased.md

@@ -6,3 +6,4 @@
 ## Feature
 
 * #730: Added support to extend GitHub workflow `cd.yml`
+* #864: Modified PTB workflow templates to not persist credentials and to use pinned SHAs

exasol/toolbox/templates/github/dependabot.yml

@@ -8,6 +8,8 @@ updates:
       interval: "weekly"
       day: "monday"
     open-pull-requests-limit: 4
+    cooldown:
+      default-days: 7
 
   # Maintain dependencies for poetry
   - package-ecosystem: "pip"
@@ -16,3 +18,5 @@ updates:
       interval: "weekly"
       day: "monday"
     open-pull-requests-limit: 4
+    cooldown:
+      default-days: 7

exasol/toolbox/templates/github/workflows/dependency-update.yml

@@ -119,7 +119,7 @@ jobs:
       - name: Report New Pull Request to Slack Channel
         id: report-pr-slack
         if: ${{ steps.create-pr.outputs.pr_url }}
-        uses: ravsamhq/notify-slack-action@v2
+        uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # 2.5.0
         with:
           status: '${{ job.status }}'
           token: '${{ secrets.GITHUB_TOKEN }}'

exasol/toolbox/templates/github/workflows/gh-pages.yml

@@ -34,7 +34,7 @@ jobs:
 
       - name: Upload Artifact
         id: upload-artifact
-        uses: actions/upload-pages-artifact@v5.0.0
+        uses: actions/upload-pages-artifact@v5
         with:
           path: html-documentation
 

pyproject.toml

@@ -59,6 +59,7 @@ dependencies = [
     "structlog (>=25.5.0,<26.0.0)",
     "typer[all]>=0.7.0",
     "twine>=6.1.0,<7",
+    "zizmor (>=1.25.2,<2.0.0)",
 ]
 
 [project.scripts]