fix zizmor issues

Author: szkiba

.github/workflows/ci.yml

@@ -6,17 +6,23 @@ on:
     branches: ["main", "master"]
     tags: ["v*"]
   pull_request:
+    branches: ["main", "master"]
+
+permissions: {}
 
 jobs:
   build-with-xk6:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
           go-version: 1.22.x
+          cache: false
       - name: Install xk6
         run: go install go.k6.io/xk6/cmd/xk6@latest
       - name: Build

.github/zizmor.yml

@@ -0,0 +1,15 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "*": hash-pin
+        actions/*: any
+        grafana/*: any
+  forbidden-uses:
+    config:
+      deny:
+        # Policy-banned by our security team due to CVE-2025-30066 & CVE-2025-30154.
+        # https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction
+        # https://nvd.nist.gov/vuln/detail/cve-2025-30066
+        # https://nvd.nist.gov/vuln/detail/cve-2025-30154
+        - reviewdog/*