From e3dc388f30ec0bc238027078ace9d054657bd875 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Sun, 15 Dec 2024 17:32:03 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/auto-add-issues-to-project.yml |  3 +++
 .github/workflows/build_canary.yml               |  5 ++++-
 .github/workflows/build_release.yml              |  5 ++++-
 .github/workflows/e2e-tests.yaml                 |  3 +++
 .github/workflows/images.yaml                    |  3 +++
 .github/workflows/linkinator.yaml                |  3 +++
 .github/workflows/tests.yaml                     | 12 +++++++++---
 7 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/auto-add-issues-to-project.yml b/.github/workflows/auto-add-issues-to-project.yml
index 3ca152223..462d05930 100644
--- a/.github/workflows/auto-add-issues-to-project.yml
+++ b/.github/workflows/auto-add-issues-to-project.yml
@@ -3,6 +3,9 @@ on:
   issues:
     types:
       - opened
+permissions:
+  contents: read
+
 jobs:
   track_issue:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build_canary.yml b/.github/workflows/build_canary.yml
index 44a71195f..ef6124463 100644
--- a/.github/workflows/build_canary.yml
+++ b/.github/workflows/build_canary.yml
@@ -5,6 +5,9 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-20.04
@@ -40,7 +43,7 @@ jobs:
 
       # https://github.com/sigstore/cosign-installer
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
       - name: Check Cosign install!
         run: cosign version
diff --git a/.github/workflows/build_release.yml b/.github/workflows/build_release.yml
index b260251f4..ce5765b87 100644
--- a/.github/workflows/build_release.yml
+++ b/.github/workflows/build_release.yml
@@ -4,6 +4,9 @@ on:
   push:
     tags: ["v[0-9].[0-9].[0-9]"]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-20.04
@@ -49,7 +52,7 @@ jobs:
 
       # https://github.com/sigstore/cosign-installer
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
       - name: Check Cosign install!
         run: cosign version
diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml
index cd2bbe23a..c420d08ce 100644
--- a/.github/workflows/e2e-tests.yaml
+++ b/.github/workflows/e2e-tests.yaml
@@ -9,6 +9,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   e2e_tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml
index 8836c0c14..65ad47247 100644
--- a/.github/workflows/images.yaml
+++ b/.github/workflows/images.yaml
@@ -7,6 +7,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build_scaler:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/linkinator.yaml b/.github/workflows/linkinator.yaml
index f2e876ad1..c49115148 100644
--- a/.github/workflows/linkinator.yaml
+++ b/.github/workflows/linkinator.yaml
@@ -9,6 +9,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   linkinator:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index db7449085..d9b5b3216 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -9,6 +9,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     name: validate - ${{ matrix.name }}
@@ -67,13 +70,16 @@ jobs:
       run: ARCH=${{ matrix.name }} make test
 
   statics:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: Static Checks
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: "1.23"
-      - uses: golangci/golangci-lint-action@v6
+      - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
           version: v1.60