fixed the token-permission and pinned-dependencies issue

Signed-off-by: harshitasao <[email protected]>

.github/workflows/ci.yml

@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.head_ref || github.run_id }}
   cancel-in-progress: true  
 
+permissions:  
+  contents: read
+
 jobs:
   fetch-version:
     uses: ./.github/workflows/reusable_fetch_version.yaml

.github/workflows/codeql.yaml

@@ -18,6 +18,9 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ "master" ]
 
+permissions:  
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/codespell.yml

@@ -1,6 +1,9 @@
 name: Codespell
 on:
   pull_request:
+permissions:  
+  contents: read
+
 jobs:
   codespell:
     runs-on: ubuntu-latest

.github/workflows/engine-version-weakcheck.yaml

@@ -9,6 +9,9 @@ on:
       - 'userspace/engine/*.cpp'
       - 'userspace/engine/*.h'
 
+permissions:  
+  contents: read
+
 jobs:
   paths-filter:
     runs-on: ubuntu-latest

.github/workflows/insecure-api.yaml

@@ -6,6 +6,9 @@ on:
       - 'release/**'
       - 'maintainers/**'
 
+permissions:  
+  contents: read
+
 jobs:
   insecure-api:
     name: check-insecure-api

.github/workflows/master.yaml

@@ -8,6 +8,9 @@ concurrency:
   group: ci-master
   cancel-in-progress: true  
 
+permissions:  
+  contents: read
+
 jobs:
   fetch-version:
     uses: ./.github/workflows/reusable_fetch_version.yaml 

.github/workflows/release.yaml

@@ -8,6 +8,9 @@ concurrency:
   group: ci-release
   cancel-in-progress: true  
 
+permissions:  
+  contents: read
+
 jobs:
   release-settings:
     runs-on: ubuntu-latest
@@ -16,7 +19,7 @@ jobs:
       bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
     steps:
       - name: Get latest release
-        uses: rez0n/[email protected]
+        uses: rez0n/actions-github-release@27a57820ee808f8fd940c8a9d1f7188f854aa2b5 # v2.0
         id: latest_release
         env:
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/reusable_build_dev.yaml

@@ -33,6 +33,9 @@ on:
         default: ''
         type: string
 
+permissions: 
+  contents: read
+
 jobs:
   build-and-test:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936

.github/workflows/reusable_build_docker.yaml

@@ -24,6 +24,9 @@ on:
 # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
 # In this way, we don't need to publish any arch specific image, 
 # and this "build" workflow is actually only building images.
+permissions:  
+  contents: read
+
 jobs:
   build-docker:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936

.github/workflows/reusable_build_packages.yaml

@@ -21,6 +21,9 @@ on:
         type: boolean
         default: false
 
+permissions:  
+  contents: read
+
 jobs:
   build-modern-bpf-skeleton:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936

.github/workflows/reusable_fetch_version.yaml

@@ -6,6 +6,9 @@ on:
         description: "Falco version"
         value: ${{ jobs.fetch-version.outputs.version }}
 
+permissions:  
+  contents: read
+
 jobs:
   # We need to use an ubuntu-latest to fetch Falco version because
   # Falco version is computed by some cmake scripts that do git sorceries

.github/workflows/reusable_test_packages.yaml

@@ -21,6 +21,9 @@ on:
         default: false
         type: boolean
 
+permissions:  
+  contents: read
+
 jobs:
   test-packages:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
@@ -54,7 +57,7 @@ jobs:
       - name: Run tests
         env:
           LSAN_OPTIONS: "intercept_tls_get_addr=0"
-        uses: falcosecurity/testing@main    
+        uses: falcosecurity/testing@32e319ae505fb330ae74db4502e605a5e517ff22 # main    
         with:
           test-falco: 'true'
           test-falcoctl: 'true'

.github/workflows/staticanalysis.yaml

@@ -1,6 +1,9 @@
 name: StaticAnalysis
 on:
   pull_request:
+permissions:  
+  contents: read
+
 jobs:
   staticanalysis:
     runs-on: ubuntu-22.04