Harden GitHub Actions workflows: minimal permissions, SHA pins, timeouts

  - Add top-level  on caller (ci.yml) and scheduled/event
    workflows (inactive_issues.yml, needs_contributor.yml)
  - Declare explicit job-level permissions across all reusable workflows
  - Pin all third-party actions to immutable commit SHAs (was using mutable
    tags, including the critical )
  - Align codeql-action on v3 across quality.yml and cyber.yml
  - Add timeout-minutes on every job to prevent runaway builds
  - Add concurrency group on ci.yml with cancel-in-progress for PRs only
  - Add .github/dependabot.yml for automated SHA and npm dependency updates

Author: nicolargo

.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "*"
+  - package-ecosystem: "npm"
+    directory: "/glances/outputs/static"
+    schedule:
+      interval: "weekly"
+    groups:
+      npm:
+        patterns:
+          - "*"

.github/workflows/build.yml

@@ -11,10 +11,13 @@ jobs:
     name: Build distribution 📦
     if: github.event_name == 'push'
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.14"
       - name: Install pypa/build
@@ -26,7 +29,7 @@ jobs:
       - name: Build a binary wheel and a source tarball
         run: python3 -m build
       - name: Store the distribution packages
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: python-package-distributions
           path: dist/
@@ -37,6 +40,7 @@ jobs:
     needs:
       - build
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     environment:
       name: pypi
       url: https://pypi.org/p/glances
@@ -45,12 +49,12 @@ jobs:
       id-token: write
     steps:
       - name: Download all the dists
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
         with:
           name: python-package-distributions
           path: dist/
       - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
         with:
           skip-existing: true
           attestations: false
@@ -62,6 +66,7 @@ jobs:
     needs:
       - build
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     environment:
       name: testpypi
       url: https://pypi.org/p/glances
@@ -70,12 +75,12 @@ jobs:
       id-token: write
     steps:
       - name: Download all the dists
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
         with:
           name: python-package-distributions
           path: dist/
       - name: Publish distribution 📦 to TestPyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
         with:
           repository-url: https://test.pypi.org/legacy/
           skip-existing: true

.github/workflows/build_docker.yml

@@ -26,6 +26,8 @@ jobs:
 
   create_docker_images_list:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions: {}
     outputs:
       tags: ${{ steps.config.outputs.tags }}
     steps:
@@ -50,6 +52,9 @@ jobs:
 
   build_docker_images:
     runs-on: ubuntu-latest
+    timeout-minutes: 60
+    permissions:
+      contents: read
     needs:
       - create_docker_images_list
     if: needs.create_docker_images_list.outputs.tags != '[]'
@@ -60,36 +65,36 @@ jobs:
         tag: ${{ fromJson(needs.create_docker_images_list.outputs.tags) }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Retrieve Repository Docker metadata
         id: docker_meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
         with:
           images: ${{ env.DEFAULT_DOCKER_IMAGE }}
           labels: |
             org.opencontainers.image.url=https://nicolargo.github.io/glances/
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
         with:
           platforms: all
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
           version: latest
 
       - name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         if: ${{ env.PUSH_BRANCH == 'true' }}
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
 
       - name: Build and push image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           push: ${{ env.PUSH_BRANCH == 'true' }}
           tags: "${{ env.DEFAULT_DOCKER_IMAGE }}:${{ matrix.os != 'alpine' && format('{0}-', matrix.os) || '' }}${{ matrix.tag.tag }}"

.github/workflows/ci.yml

@@ -8,6 +8,12 @@ on:
       tags:
         - v*
 
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 jobs:
     quality:
       uses: ./.github/workflows/quality.yml

.github/workflows/cyber.yml

@@ -7,15 +7,20 @@ jobs:
   trivy:
     name: Trivy scan
     continue-on-error: true
+    timeout-minutes: 15
 
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      security-events: write
+
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master
         with:
           scan-type: 'fs'
           ignore-unfixed: true
@@ -24,6 +29,6 @@ jobs:
           severity: 'CRITICAL'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@820e3160e279568db735cee8ed8f8e77a6da7818 # v3
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/inactive_issues.yml

@@ -3,14 +3,17 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions: {}
+
 jobs:
   close-issues:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
         with:
           days-before-issue-stale: 90
           days-before-issue-close: -1

.github/workflows/needs_contributor.yml

@@ -3,10 +3,14 @@ on:
   issues:
     types:
       - labeled
+
+permissions: {}
+
 jobs:
   add-comment:
     if: github.event.label.name == 'needs contributor'
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       issues: write
     steps:
@@ -19,4 +23,4 @@ jobs:
           BODY: >
             This issue is available for anyone to work on.
             **Make sure to reference this issue in your pull request.**
-            :sparkles: Thank you for your contribution ! :sparkles:
+            :sparkles: Thank you for your contribution ! :sparkles:

.github/workflows/quality.yml

@@ -7,6 +7,7 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       actions: read
       contents: read
@@ -22,11 +23,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818 # v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -37,7 +38,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@820e3160e279568db735cee8ed8f8e77a6da7818 # v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -51,4 +52,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818 # v3

.github/workflows/test.yml

@@ -9,17 +9,21 @@ jobs:
 
   source-code-checks:
     runs-on: ubuntu-24.04
+    timeout-minutes: 5
+
+    permissions:
+      contents: read
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       # - name: Check formatting with Ruff
-      #   uses: chartboost/ruff-action@v1
+      #   uses: chartboost/ruff-action@e18ae971ccee1b2d7bbef113930f00c670b78da4 # v1
       #   with:
       #     args: 'format --check'
 
       - name: Check linting with Ruff
-        uses: chartboost/ruff-action@v1
+        uses: chartboost/ruff-action@e18ae971ccee1b2d7bbef113930f00c670b78da4 # v1
         with:
           args: 'check'
 
@@ -35,18 +39,22 @@ jobs:
     needs: source-code-checks
     # https://github.com/actions/runner-images?tab=readme-ov-file#available-images
     runs-on: ubuntu-24.04
+    timeout-minutes: 15
     strategy:
       matrix:
         # Python EOL version are note tested
         # Multiple Python version only tested for Linux
         python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
 
+    permissions:
+      contents: read
+
     steps:
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python-version }}
           cache: 'pip'
@@ -65,17 +73,22 @@ jobs:
     needs: source-code-checks
     # https://github.com/actions/runner-images?tab=readme-ov-file#available-images
     runs-on: windows-2025
+    timeout-minutes: 15
     strategy:
       matrix:
         # Windows-curses not available for Python 3.14 for the moment
         # See https://github.com/zephyrproject-rtos/windows-curses/issues/76
         python-version: ["3.13"]
+
+    permissions:
+      contents: read
+
     steps:
 
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: ${{ matrix.python-version }}
         cache: 'pip'
@@ -95,17 +108,21 @@ jobs:
     needs: source-code-checks
     # https://github.com/actions/runner-images?tab=readme-ov-file#available-images
     runs-on: macos-15
+    timeout-minutes: 15
     strategy:
       matrix:
         # Only test the latest stable version
         python-version: ["3.14"]
 
+    permissions:
+      contents: read
+
     steps:
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python-version }}
           cache: 'pip'
@@ -129,10 +146,10 @@ jobs:
   #       python-version: ["3.14"]
   #   steps:
 
-  #     - uses: actions/checkout@v5
+  #     - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
   #     - name: Set up Python ${{ matrix.python-version }}
-  #       uses: actions/setup-python@v6
+  #       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
   #       with:
   #         python-version: ${{ matrix.python-version }}
   #         cache: 'pip'