separate linter job in Github Actions

pulls out the golangci-lint job from the main go.yml Github Action and
into its own workflow that follows security best practices like ensuring
read-only permissions and using SHA-specific Action releases.

Signed-off-by: Jay Pipes <jaypipes@gmail.com>

.github/workflows/go.yml

@@ -8,19 +8,6 @@ on:
 
 # see: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners
 jobs:
-  # tier 0: system-independent checks
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v2
-
-    - name: Verify
-      uses: golangci/golangci-lint-action@v2
-      with:
-        version: v1.41.1
-        args: --timeout=15m0s --verbose
-
   # tier-1
   # main development platform, gets features first and it's most tested
   build-ubuntu-2204:

.github/workflows/lint.yml

@@ -0,0 +1,38 @@
+name: lint
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+  pull-requests: read # needed for only-new-issues option below
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+     - name: harden runner
+       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+       with:
+         egress-policy: block
+         disable-sudo: true
+         allowed-endpoints: >
+           github.com:443
+           api.github.com:443
+           raw.githubusercontent.com:443
+           objects.githubusercontent.com:443
+     - name: checkout code
+       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+     - name: setup go
+       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+       with:
+         go-version: 1.19
+     - name: lint
+       uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0
+       with:
+         version: v1.53
+         args: --timeout=5m0s --verbose
+         only-new-issues: true