[StepSecurity] ci: Harden GitHub Actions

.github/workflows/dependency-review.yml

@@ -23,17 +23,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout scan target
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Checkout licenses
-        uses:  actions/checkout@v4
+        uses:  actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: coveo/dependency-allowed-licenses
           path: coveo-dependency-allowed-licenses
 
       - name: Select configuration
         id: select-config
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           INPUTS: ${{ toJSON(inputs) }}
         with:
@@ -53,7 +53,7 @@ jobs:
             core.setFailure(`Could not determine configuration for inputs: ${inputs}`)
 
       - name: Scan
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
         with:
           comment-summary-in-pr: ${{ inputs.comment-summary-in-pr }}
           fail-on-severity: high

.github/workflows/java-maven-openjdk-codeql.yml

@@ -25,6 +25,9 @@ on:
         required: true
         type: number
 
+permissions:
+  contents: read
+
 jobs:
   analyze-java:
     name: Analyze Java
@@ -44,15 +47,15 @@ jobs:
       - run: echo "HOME=/root" >> $GITHUB_ENV
 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
         with:
           languages: java
 
       - name: Cache maven dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         with:
           path: ~/.m2
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@@ -63,6 +66,6 @@ jobs:
         run: mvn ${{ inputs.mvn-additional-arguments }} -T1C --also-make --batch-mode --strict-checksums --update-snapshots -Dmaven.gitcommitid.skip=true -DskipTests clean test-compile
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
         with:
           category: "/language:java"

.github/workflows/java-maven-openjdk-dependency-submission.yml

@@ -25,6 +25,9 @@ on:
         required: true
         type: number
 
+permissions:
+  contents: read
+
 jobs:
   submit-dependencies:
     name: Submit dependencies
@@ -41,18 +44,18 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Cache maven dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         with:
           path: ~/.m2
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
             ${{ runner.os }}-maven-
 
       - name: Submit Dependency Snapshot
-        uses: advanced-security/maven-dependency-submission-action@v3
+        uses: advanced-security/maven-dependency-submission-action@fcd7eab6b6d22946badc98d1e62665cdee93e0ae # v3.0.3
         with:
           directory: ${{ inputs.directory }}
           maven-args: -Dscopes=compile,provided,runtime,system