ci: pin actions workflow step hashes and use minimum permissions (#110)

Author: zimeg

.github/workflows/ci-build.yml

@@ -22,10 +22,14 @@ jobs:
           - "3.9"
           - "3.8"
           - "3.7"
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies

.github/workflows/triage-issues.yml

@@ -4,20 +4,19 @@
 
 name: Close stale issues and PRs
 
-on: 
+on:
   workflow_dispatch:
   schedule:
-    - cron: '0 0 * * 0'
-  
-permissions:
-  issues: write
-  pull-requests: write
+    - cron: "0 0 * * 0"
 
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
-      - uses: actions/stale@v4.0.0
+      - uses: actions/stale@cdf15f641adb27a71842045a94023bef6945e3aa # v4.0.0
         with:
           days-before-issue-stale: 30
           days-before-issue-close: 10
@@ -31,4 +30,3 @@ jobs:
           remove-stale-when-updated: true
           enable-statistics: true
           operations-per-run: 60
-