Improve security of our GitHub Actions (#18413)

Recently CPython introduced this new tool:
https://github.com/python/cpython/blob/8eebe4e6d02bb4ad3f1ca6c52624186903dce893/.pre-commit-config.yaml#L64-L67

Which finds different security related problems with GitHub Actions.

I added this tool to our `.pre-commit-config.yaml` and followed all its
recommendations.

Changes:
- I added `persist-credentials: false` to all `checkout` actions, see `#
Whether to configure the token or SSH key with the local git config` in
https://github.com/actions/checkout
- I moved all permissions from workflow level to job level
- I changed `.github/workflows/mypy_primer_comment.yml` to be a reusable
workflow, see
https://woodruffw.github.io/zizmor/audits/#dangerous-triggers

Author: sobolevn

.github/workflows/build_wheels.yml

@@ -6,14 +6,16 @@ on:
     tags: ['*']
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   build-wheels:
     if: github.repository == 'python/mypy'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.11'

.github/workflows/docs.yml

@@ -35,6 +35,8 @@ jobs:
       VERIFY_MYPY_ERROR_CODES: 1
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.12'

.github/workflows/mypy_primer.yml

@@ -26,8 +26,6 @@ jobs:
   mypy_primer:
     name: Run mypy_primer
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     strategy:
       matrix:
         shard-index: [0, 1, 2, 3, 4]
@@ -38,6 +36,7 @@ jobs:
         with:
           path: mypy_to_test
           fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.12"
@@ -93,8 +92,6 @@ jobs:
     name: Join artifacts
     runs-on: ubuntu-latest
     needs: [mypy_primer]
-    permissions:
-      contents: read
     steps:
       - name: Merge artifacts
         uses: actions/upload-artifact/merge@v4

.github/workflows/mypy_primer_comment.yml

@@ -1,20 +1,21 @@
 name: Comment with mypy_primer diff
 
-on:
+on:  # zizmor: ignore[dangerous-triggers]
   workflow_run:
     workflows:
       - Run mypy_primer
     types:
       - completed
 
-permissions:
-  contents: read
-  pull-requests: write
+permissions: {}
 
 jobs:
   comment:
     name: Comment PR from mypy_primer
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
       - name: Download diffs

.github/workflows/sync_typeshed.yml

@@ -5,20 +5,22 @@ on:
   schedule:
     - cron: "0 0 1,15 * *"
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   sync_typeshed:
     name: Sync typeshed
     if: github.repository == 'python/mypy'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: true  # needed to `git push` the PR branch
         # TODO: use whatever solution ends up working for
         # https://github.com/python/typeshed/issues/8434
       - uses: actions/setup-python@v5

.github/workflows/test.yml

@@ -136,6 +136,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Debug build
       if: ${{ matrix.debug_build }}
@@ -217,6 +219,8 @@ jobs:
       CC: i686-linux-gnu-gcc
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install 32-bit build dependencies
         run: |
           sudo dpkg --add-architecture i386 && \

.github/workflows/test_stubgenc.yml

@@ -29,6 +29,8 @@ jobs:
     steps:
 
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Setup 🐍 3.9
       uses: actions/setup-python@v5

.pre-commit-config.yaml

@@ -16,10 +16,11 @@ repos:
       - id: ruff
         args: [--exit-non-zero-on-fix]
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.30.0
+    rev: 0.31.0
     hooks:
-      - id: check-dependabot
       - id: check-github-workflows
+      - id: check-github-actions
+      - id: check-readthedocs
   - repo: https://github.com/rhysd/actionlint
     rev: v1.7.6
     hooks:
@@ -29,5 +30,20 @@ repos:
           -ignore=property "allow_failure" is not defined,
           -ignore=SC2(046|086),
         ]
+        additional_dependencies:
+          # actionlint has a shellcheck integration which extracts shell scripts in `run:` steps from GitHub Actions
+          # and checks these with shellcheck. This is arguably its most useful feature,
+          # but the integration only works if shellcheck is installed
+          - "github.com/wasilibs/go-shellcheck/cmd/[email protected]"
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.0.1
+    hooks:
+      - id: zizmor
+  # Should be the last one:
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes
+
 ci:
   autoupdate_schedule: quarterly

action.yml

@@ -32,7 +32,7 @@ branding:
 runs:
   using: composite
   steps:
-    - name: mypy setup
+    - name: mypy setup  # zizmor: ignore[template-injection]
       shell: bash
       run: |
         echo ::group::Installing mypy...