ci: Harden GitHub Actions (#2915)

utpilla · web-flow · commit 1760889e27fb · 2025-04-07T22:41:11.000-07:00
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -6,6 +6,8 @@ env:
 permissions: read-all
 
 on:
+  push:
+    branches: [main]
   schedule:
     - cron: '0 0 * * *' # once in a day at 00:00
   workflow_dispatch:
@@ -22,7 +24,7 @@ jobs:
 
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@v2
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
       with:
         egress-policy: audit
 
diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml
@@ -22,7 +22,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install markdown-link-check
-        run: npm install -g markdown-link-check@3.11.2
+        run: npm install -g "git://github.com/tcort/markdown-link-check.git#ef7e09486e579ba7479700b386e7ca90f34cbd0a" # v3.13.7
 
       - name: Run markdown-link-check
         run: |
