feat(ci): pin versions, tighten permissions

2026-02-09 23:45:46 +00:00 · 2025-02-02 14:20:05 +02:00
parent ab2a86b6e2
commit 19f792e5d1
12 changed files with 86 additions and 63 deletions
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -45,6 +45,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  megalinter:
    name: MegaLinter
@@ -59,14 +62,14 @@ jobs:

    steps:
      - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
          fetch-depth: 0

      - name: MegaLinter
        id: ml
-        uses: oxsecurity/megalinter/flavors/cupcake@v8.4.1
+        uses: oxsecurity/megalinter/flavors/cupcake@839e6d63c0423eb74ce2578225f8b8b4bed63ede # v8.4.1
        env:
          PARALLEL: true # Run linters in parallel
          FILTER_REGEX_EXCLUDE: '(\.automation/test|docs/json-schemas|\.github/workflows)'
@@ -100,7 +103,7 @@ jobs:

      - name: Upload Reports
        if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: MegaLinter reports
          path: |
@@ -110,7 +113,7 @@ jobs:

      - name: Upload SARIF Report
        if: always() && hashFiles('megalinter-reports/sarif/*.sarif')
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
        with:
          sarif_file: megalinter-reports/sarif
          category: megalinter
@@ -130,7 +133,7 @@ jobs:
          env.APPLY_FIXES_MODE == 'pull_request' &&
          (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) &&
          !contains(github.event.head_commit.message, 'skip fix')
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
        id: cpr
        with:
          token: ${{ secrets.FIXIMUS_TOKEN || secrets.GITHUB_TOKEN }}
@@ -165,7 +168,7 @@ jobs:
          github.ref != 'refs/heads/main' &&
          (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) &&
          !contains(github.event.head_commit.message, 'skip fix')
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
        with:
          branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
          commit_message: |
@@ -178,7 +181,7 @@ jobs:

      - name: Create Status Check
        if: always()
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            const status = '${{ steps.check-results.outputs.status }}';