🩹[Patch]: Update GitHub Actions security and linting configuration

[MariusStorhaug]

This update improves the security posture of GitHub Actions workflows by addressing zizmor linting warnings. All action references are now pinned to specific commit hashes, permissions follow the principle of least privilege, and insecure workflow triggers have been replaced with safer alternatives.

Security improvements

Pinned action references

All GitHub Actions are now pinned to specific commit SHA hashes instead of mutable tags, preventing supply chain attacks:

• actions/checkout → de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2)
• actions/upload-artifact → ea165f8d65b6e75b540449e92b4886f43607fa02 (v4.6.2)
• super-linter/super-linter → d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 (v8.3.2)
• super-linter/super-linter/slim → 2bdd90ed3262e023ac84bf8fe35dc480721fc1f2 (v8.2.1)
• PSModule/Auto-Release → eabd533035e2cb9822160f26f2eda584bd012356 (v1.9.5)
• PSModule/Install-PSModuleHelpers → d60d63e4be477d1ca0c67c6085101fb109bce8f1 (v1.0.6)

Workflow trigger security

Changed pull_request_target to pull_request in Auto-Release workflow to prevent potential code injection attacks from forked repositories.

Least privilege permissions

Moved statuses: write permission from workflow-level to job-level in Action-Test workflow, applying it only to the ActionTestDefault job that actually requires it for the linter.

Credential persistence

Added persist-credentials: false to checkout steps to prevent credential persistence in artifacts.

Linting configuration

• Enabled VALIDATE_GITHUB_ACTIONS_ZIZMOR in Linter workflow (previously disabled)
• Updated dependabot schedule to daily with 7-day cooldown for better dependency management

[Copilot]

Pull request overview

This PR tweaks the GitHub Actions linter workflow configuration.

Changes:

• Reorders/sets VALIDATE_BIOME_FORMAT: false in the super-linter environment configuration.
• Removes VALIDATE_GITHUB_ACTIONS_ZIZMOR: false, changing which validators run in CI.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

.github/workflows/Linter.yml:35

• VALIDATE_GITHUB_ACTIONS_ZIZMOR: false was removed from the super-linter env block, which changes behavior (the validator may now run by default and potentially fail the workflow). If the intent is still to disable zizmor checks, please add this env var back; otherwise, consider explicitly setting it to true so the change is intentional and self-documenting.

      - name: Lint code base
        uses: super-linter/super-linter@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 # v8.3.2
        env:
          GITHUB_TOKEN: ${{ github.token }}
          VALIDATE_BIOME_FORMAT: false
          VALIDATE_JSON_PRETTIER: false
          VALIDATE_MARKDOWN_PRETTIER: false
          VALIDATE_YAML_PRETTIER: false

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.