ci: pin actions workflow step hashes and use minimum permissions (#28)

zimeg · web-flow · commit da5dbb223425 · 2025-05-27T14:02:57.000-07:00
diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml
@@ -2,7 +2,8 @@ name: Lint validation using flake8
 
 on:
   push:
-    branches: [ main ]
+    branches:
+      - main
   pull_request:
 
 jobs:
@@ -11,19 +12,24 @@ jobs:
     timeout-minutes: 5
     strategy:
       matrix:
-        python-version: ['3.9']
+        python-version:
+          - "3.9"
+    permissions:
+      contents: read
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install dependencies
-      run: |
-        pip install -U pip
-        pip install -e ".[testing]"
-        # We manually upgrade it to make the builds stable
-        pip install "flake8==6.1.0"
-    - name: Run flake8
-      run: |
-        flake8 slack_discovery_sdk/
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
+        with:
+          persist-credentials: false
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: |
+          pip install -U pip
+          pip install -e ".[testing]"
+          # We manually upgrade it to make the builds stable
+          pip install "flake8==6.1.0"
+      - name: Run flake8
+        run: |
+          flake8 slack_discovery_sdk/
diff --git a/.github/workflows/py_compile.yml b/.github/workflows/py_compile.yml
@@ -2,29 +2,38 @@ name: Sytanx check using py_compile
 
 on:
   push:
-    branches: [ main ]
+    branches:
+      - main
   pull_request:
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     timeout-minutes: 5
     strategy:
       matrix:
-        python-version: ['3.7', '3.8', '3.9', '3.10', '3.11']
+        python-version:
+          - "3.7"
+          - "3.8"
+          - "3.9"
+          - "3.10"
+          - "3.11"
+    permissions:
+      contents: read
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install dependencies
-      run: |
-        pip install -U pip
-        pip install -e ".[testing]"
-    - name: Run py_compile for main code
-      run: |
-        find slack_discovery_sdk -name '*.py' | xargs python -m py_compile
-    - name: Run py_compile for test code
-      run: |
-        find tests -name '*.py' | xargs python -m py_compile
-
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
+        with:
+          persist-credentials: false
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: |
+          pip install -U pip
+          pip install -e ".[testing]"
+      - name: Run py_compile for main code
+        run: |
+          find slack_discovery_sdk -name '*.py' | xargs python -m py_compile
+      - name: Run py_compile for test code
+        run: |
+          find tests -name '*.py' | xargs python -m py_compile
diff --git a/.github/workflows/pytype.yml b/.github/workflows/pytype.yml
@@ -2,7 +2,8 @@ name: Type hint validation using pytype
 
 on:
   push:
-    branches: [ main ]
+    branches:
+      - main
   pull_request:
 
 jobs:
@@ -11,19 +12,24 @@ jobs:
     timeout-minutes: 5
     strategy:
       matrix:
-        python-version: ['3.9']
+        python-version:
+          - "3.9"
+    permissions:
+      contents: read
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install dependencies
-      run: |
-        pip install -U pip
-        pip install -e ".[testing]"
-        # As pytype can change its behavior in newer versions, we manually upgrade it
-        pip install "pytype==2023.9.27"
-    - name: Run pytype
-      run: |
-        pytype slack_discovery_sdk/
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
+        with:
+          persist-credentials: false
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: |
+          pip install -U pip
+          pip install -e ".[testing]"
+          # As pytype can change its behavior in newer versions, we manually upgrade it
+          pip install "pytype==2023.9.27"
+      - name: Run pytype
+        run: |
+          pytype slack_discovery_sdk/
