Pin versions and add permissions

Pins the versions of all actions. Adds the minimum required permissions.
rico227 · Jun 12, 2023 · b0f60d4 · b0f60d4
1 parent c5f138f
commit b0f60d4
Showing 1 changed file with 17 additions and 9 deletions.
diff --git a/.github/workflows/CI.yaml b/.github/workflows/CI.yaml
@@ -10,10 +10,18 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+    contents: read
+
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "build"
   build:
+    permissions:
+      checks: write  ## for coveralls
+      contents: read ##  for docker-push
+      security-events: write ## for upload-sarif
     # The type of runner that the job will run on
     runs-on: ${{ matrix.os }}
     strategy:
@@ -23,11 +31,11 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       # Set up Node
       - name: Use Node 16
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2.5.2
         with:
           node-version: 16
           registry-url: "https://registry.npmjs.org"
@@ -56,13 +64,13 @@ jobs:
 
       # Run tests
       - name: Run Test
-        uses: GabrielBB/xvfb-action@fe2609f8182a9ed5aee7d53ff3ed04098a904df2 #v1.0
+        uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1.0.1
         with:
           run: yarn coveralls
 
         # Run Coveralls
       - name: Coveralls
-        uses: coverallsapp/github-action@3284643be2c47fb6432518ecec17f1255e8a06a6 #master
+        uses: coverallsapp/github-action@c7885c00cb7ec0b8f9f5ff3f53cddb980f7a4412 # v2.2.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -75,17 +83,17 @@ jobs:
         # Setup QEMU as requirement for docker
       - name: Set up QEMU
         if: ${{ success() && runner.os == 'Linux' && github.event_name == 'push' && github.ref == 'refs/heads/main'}}
-        uses: docker/setup-qemu-action@v1
-
+        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+  
         # Setup DockerBuildx as requirement for docker
       - name: Set up Docker Buildx
         if: ${{ success() && runner.os == 'Linux' && github.event_name == 'push' && github.ref == 'refs/heads/main'}}
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@6a58db7e0d21ca03e6c44877909e80e45217eed2 # v2.6.0
 
         # Login to Quay
       - name: Login to Quay
         if: ${{ success() && runner.os == 'Linux' && github.event_name == 'push' && github.ref == 'refs/heads/main'}}
-        uses: docker/login-action@v1
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc  # v2.2.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
@@ -94,7 +102,7 @@ jobs:
         # Build and push the latest version of yaml language server image
       - name: Build and push
         if: ${{ success() && runner.os == 'Linux' && github.event_name == 'push' && github.ref == 'refs/heads/main'}}
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@44ea916f6c540f9302d50c2b1e5a8dc071f15cdf #v4.1.0
         with:
           context: .
           file: ./Dockerfile