fix zizmor findings

.github/workflows/upx-releases-json.yml

@@ -4,7 +4,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
   contents: read
 
@@ -16,23 +15,19 @@ on:
     branches:
       - 'master'
   pull_request:
-    paths-ignore:
-      - '.github/upx-releases.json'
 
 jobs:
   generate:
-    uses: crazy-max/.github/.github/workflows/releases-json.yml@fa6141aedf23596fb8bdcceab9cce8dadaa31bd9
+    uses: crazy-max/.github/.github/workflows/releases-json.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0
     with:
       repository: upx/upx
       artifact_name: upx-releases-json
       filename: upx-releases.json
-    secrets: inherit
 
   open-pr:
     runs-on: ubuntu-22.04
     if: github.event_name != 'pull_request'
     permissions:
-      # required to create PR
       contents: write
       pull-requests: write
     needs:
@@ -40,10 +35,10 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       -
         name: Download
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: upx-releases-json
           path: .github
@@ -53,7 +48,7 @@ jobs:
           git add -A .
       -
         name: Create PR
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f  # v7.0.5
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
         with:
           base: master
           branch: bot/upx-releases-json