Merge pull request #214 from step-security-bot/stepsecurity_remediation_1707218368

wlemkows · web-flow · commit 0e39d40f06a9 · 2024-02-06T12:36:06.000+01:00
[StepSecurity] ci: Harden GitHub Actions
diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml
@@ -26,7 +26,7 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Install apt packages
       run: |
@@ -144,7 +144,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install apt packages
         run: |
@@ -231,7 +231,7 @@ jobs:
     runs-on: ${{matrix.os}}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       # Use '14.38.33130' MSVC toolset when compiling UMF with ASan.
       # Running binaries compiled with older toolsets results in a
@@ -240,7 +240,7 @@ jobs:
       # https://github.com/actions/runner-images/issues/8891
       - name: Setup MSVC dev command prompt
         if: matrix.os == 'windows-2022' && matrix.sanitizers.asan == 'ON'
-        uses: TheMrMilchmann/setup-msvc-dev@v3
+        uses: TheMrMilchmann/setup-msvc-dev@48edcef51a12c80d7e62ace57aae1417795e511c # v3.0.0
         with:
           arch: x64
           toolset: 14.38.33130
@@ -274,7 +274,7 @@ jobs:
     runs-on: ${{matrix.os}}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install Python requirements
         run: python3 -m pip install -r third_party/requirements.txt
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
@@ -2,6 +2,9 @@ name: Benchmarks
 
 on: workflow_call
 
+permissions:
+  contents: read
+
 jobs:
   ubuntu-build:
     name: Build - Ubuntu
@@ -15,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install apt packages
         run: |
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -2,6 +2,9 @@ name: CodeQL
 
 on: workflow_call
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -22,7 +25,7 @@ jobs:
             
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install doxygen
         run: >
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -6,6 +6,9 @@ on:
   schedule:
     - cron:  '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
     Valgrind:
         name: Valgrind
@@ -17,7 +20,7 @@ jobs:
 
         steps:
         - name: Checkout repository
-          uses: actions/checkout@v4
+          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
         - name: Install apt packages
           run: |
diff --git a/.github/workflows/pr_push.yml b/.github/workflows/pr_push.yml
@@ -26,7 +26,7 @@ jobs:
 
         steps:
         - name: Checkout repository
-          uses: actions/checkout@v4
+          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
         - name: Install apt packages
           if: matrix.os == 'ubuntu-latest'
@@ -57,7 +57,7 @@ jobs:
 
       steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install apt packages
         run: |
diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
@@ -2,15 +2,18 @@ name: SpellCheck
 
 on: workflow_call
 
+permissions:
+  contents: read
+
 jobs:
     build:
         name: Run spell check
         runs-on: ubuntu-latest
         steps:
             - name: Checkout
-              uses: actions/checkout@v4
+              uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
             - name: Run a spell check
-              uses: crate-ci/typos@v1.16.23
+              uses: crate-ci/typos@c97d621b6b01d8b0258538ca15abeca5c5764601 # v1.16.23
               with:
                 config: ./.github/workflows/.spellcheck-conf.toml
