Harden GitHub Actions workflows and actions

[jdbaldry]

Limits vulnerabilities in workflows and especially importantly for actions that are used in multiple other repositories.

I can add a Dependabot or Renovate workflow to keep the pinned hashes up to date.

Linted using zizmor.

Tested with:

zizmor --persona auditor --quiet "--gh-token=${GITHUB_TOKEN}" *.yml

Notable changes:

• Prevent template injection from inputs by using environment variables instead of actions templating expressions in scripts.
• Ensure no checkout actions persist credentials.
• Pin all actions to commit SHAs to prevent mutable references changing action behavior.
• Move elevated permissions to just the jobs that need them so that those permissions aren't accidentally leaked to other jobs that don't.

Deploy PR Preview workflow tested in: https://github.com/grafana/writers-toolkit/actions/runs/12745697349/job/35520196992?pr=945. I believe the failure is expected given this branch isn't approved for Cloud Run usage.

Other docs related workflows were also tested in 95995a7 (#945).

Signed-off-by: Jack Baldry [email protected]

• I've used a relevant pull request (PR) title.
• I've added a link to any relevant issues in the PR description.
• I've checked my changes on the deploy preview and they look good.
• I've added an entry to the What's new page (only required for notable changes).

[jdbaldry]

This workflow isn't used in this repository.

[robbymilo]

Nice work! TIL about passing the inputs to envs, will keep that in mind for the future.