feat(ci): pin versions, tighten permissions

2026-01-26 11:34:00 +00:00 · 2025-02-02 14:20:05 +02:00
parent ab2a86b6e2
commit 19f792e5d1
12 changed files with 86 additions and 63 deletions
--- a/.github/workflows/action-security.yml
+++ b/.github/workflows/action-security.yml
@@ -16,6 +16,11 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+  actions: read
+  pull-requests: read
+
 jobs:
  analyze:
    name: Analyze Action Security
@@ -23,16 +28,13 @@ jobs:
    timeout-minutes: 30

    permissions:
-      contents: read
      security-events: write
-      actions: read
-      pull-requests: read
      statuses: write
      issues: write

    steps:
      - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

@@ -55,7 +57,7 @@ jobs:
          fi

      - name: Run actionlint
-        uses: raven-actions/actionlint@v2
+        uses: raven-actions/actionlint@01fce4f43a270a612932cb1c64d40505a029f821 # v2.0.0
        with:
          cache: true
          fail-on-error: true
@@ -63,7 +65,7 @@ jobs:

      - name: Run Gitleaks
        if: steps.check-configs.outputs.run_gitleaks == 'true'
-        uses: gitleaks/gitleaks-action@v2.3.7
+        uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3 # v2.3.7
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
@@ -73,7 +75,7 @@ jobs:
          report-path: gitleaks-report.sarif

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@a11da62073708815958ea6d84f5650c78a3ef85b # master
        with:
          scan-type: 'fs'
          security-checks: 'vuln,config,secret'
@@ -114,21 +116,21 @@ jobs:

      - name: Upload Trivy results
        if: steps.verify-sarif.outputs.has_trivy == 'true'
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
        with:
          sarif_file: 'trivy-results.sarif'
          category: 'trivy'

      - name: Upload Gitleaks results
        if: steps.verify-sarif.outputs.has_gitleaks == 'true'
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
        with:
          sarif_file: 'gitleaks-report.sarif'
          category: 'gitleaks'

      - name: Archive security reports
        if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: security-reports-${{ github.run_id }}
          path: |
@@ -138,7 +140,7 @@ jobs:

      - name: Analyze Results
        if: always()
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            const fs = require('fs');
@@ -229,7 +231,7 @@ jobs:

      - name: Notify on Critical Issues
        if: failure()
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            const { repo, owner } = context.repo;