Hi, I'm Diogo and I raised the issue #7069 suggesting you to set minimal permissions to your workflows. Now I'm coming back to suggest a modification that would provide extra safety for the workflows that yet require dangerous permissions (e.g., contents: write).

Problem

Some of your workflows (e.g. auto_author_assign.yml or playwright-update.yml) are using dangerous permissions permissions while running external dependencies pinned only by tag. At publish-release.yml they're not called with dangerous permissions but have access to important secrets (although at this case I see that it's a jupyter-lab action, so I'd understand if you prefer to just trust this one). Those patterns could be dangerous because if any of those actions get hijacked (and at the end they're all repositories and are susceptible to attacks like any other), an attacker could change the code that your tags point to, gaining access to your secrets and/or write permissions to your code.

Proposed Solution

A simple solution for this problem would be to hash-pin those sensitive actions, pointing the actions to the very specific commit of that release. It follows and example of the change:

- uses: r-lib/actions/pr-fetch@v2 
would become
- uses: r-lib/actions/pr-fetch@11a22a908006c25fe054c4ef0ac0436b1de3edbe # v1.3.1

It shouldn't require any more maintenance, because dependabot is also able to keep them updated. It would update them at the same pace you're already used to, and it would still keep a comment with the human-readable version used =).

Conclusion

Let me know if you are interested in this change and I'd be happy to send a PR solving this.

Thanks!