ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <[email protected]>

.github/workflows/lint.yml

@@ -1,19 +1,27 @@
 name: Lint
 on: [ push, pull_request ]
+permissions:
+  contents: read
+
 jobs:
   rust:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Rust toolchain
       run: rustup show && rustup update
     - name: cargo fmt
-      uses: actions-rs/cargo@v1
+      uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
       with:
         command: fmt
         args: -- --check
     - name: cargo clippy
-      uses: actions-rs/cargo@v1
+      uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
       with:
         command: clippy
         args: --all-features --tests -- -D warnings

.github/workflows/test.yml

@@ -1,16 +1,24 @@
 name: Test
 on: [ push, pull_request ]
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Rust toolchain
       run: rustup show && rustup update
     - name: Build murmurhash3
       run: cargo build
     - name: cargo test
-      uses: actions-rs/cargo@v1
+      uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
       with:
         command: test
         args: --workspace