[StepSecurity] ci: Harden GitHub Actions

.github/workflows/dependency-review.yml

@@ -17,23 +17,31 @@ on:
         default: on-failure
         type: string
 
+permissions:
+  pull-requests: write
+
 jobs:
   dependency-review:
     name: Dependency Review
+
     runs-on: ubuntu-latest
+
+    permissions:
+      pull-requests: write
+
     steps:
       - name: Checkout scan target
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Checkout licenses
-        uses:  actions/checkout@v4
+        uses:  actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: coveo/dependency-allowed-licenses
           path: coveo-dependency-allowed-licenses
 
       - name: Select configuration
         id: select-config
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           INPUTS: ${{ toJSON(inputs) }}
         with:
@@ -53,7 +61,7 @@ jobs:
             core.setFailure(`Could not determine configuration for inputs: ${inputs}`)
 
       - name: Scan
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
         with:
           comment-summary-in-pr: ${{ inputs.comment-summary-in-pr }}
           fail-on-severity: high

.github/workflows/java-maven-openjdk-codeql.yml

@@ -25,6 +25,9 @@ on:
         required: true
         type: number
 
+permissions:
+  contents: read
+
 jobs:
   analyze-java:
     name: Analyze Java
@@ -44,15 +47,15 @@ jobs:
       - run: echo "HOME=/root" >> $GITHUB_ENV
 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
         with:
           languages: java
 
       - name: Cache maven dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         with:
           path: ~/.m2
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@@ -63,6 +66,6 @@ jobs:
         run: mvn ${{ inputs.mvn-additional-arguments }} -T1C --also-make --batch-mode --strict-checksums --update-snapshots -Dmaven.gitcommitid.skip=true -DskipTests clean test-compile
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
         with:
           category: "/language:java"

.github/workflows/java-maven-openjdk-dependency-submission.yml

@@ -25,6 +25,9 @@ on:
         required: true
         type: number
 
+permissions:
+  contents: read
+
 jobs:
   submit-dependencies:
     name: Submit dependencies
@@ -41,18 +44,18 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Cache maven dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         with:
           path: ~/.m2
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
             ${{ runner.os }}-maven-
 
       - name: Submit Dependency Snapshot
-        uses: advanced-security/maven-dependency-submission-action@v4
+        uses: advanced-security/maven-dependency-submission-action@bfd2106013da0957cdede0b6c39fb5ca25ae375e # v4.0.2
         with:
           directory: ${{ inputs.directory }}
           maven-args: -Dscopes=compile,provided,runtime,system

.github/workflows/scorecard.yml

@@ -30,6 +30,13 @@ jobs:
       # Needed to publish results and get a badge (see publish_results below).
       id-token: write
 
+      # To allow GraphQL ListCommits to work
+      issues: read
+      pull-requests: read
+
+      # To detect SAST tools
+      checks: read
+
     steps:
       - name: "Checkout code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

.github/workflows/test-dependency-review.yml

@@ -3,16 +3,18 @@ name: Test Coveo Dependency Reviewer
 on: pull_request
 
 permissions:
-  contents: read
   pull-requests: write
 
 jobs:
   test:
+    permissions:
+      pull-requests: write
+
     strategy:
       matrix:
         public: [true, false]
         distributed: [true, false]
-        comment-summary-in-pr: [true, false]
+        comment-summary-in-pr: ['always', 'on-failure', 'never']
       fail-fast: false
 
     uses: ./.github/workflows/dependency-review.yml