ci: harden GitHub actions (#22321)

2024-11-25 23:22:02 +00:00 · 2023-07-25 07:47:29 -07:00 · 2023-07-25 07:47:29 -07:00 · 2748e54aec
commit 2748e54aec
parent b650207fa5
2 changed files with 11 additions and 5 deletions
--- a/.github/workflows/ecosystem-ci-trigger.yml
+++ b/.github/workflows/ecosystem-ci-trigger.yml
@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest
    if: github.repository == 'nuxt/nuxt' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run')
    steps:
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
        with:
          script: |
            const user = context.payload.sender.login
@ -48,7 +48,7 @@ jobs:
              })
              throw new Error('not allowed')
            }
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
        id: get-pr-data
        with:
          script: |
@ -64,12 +64,12 @@ jobs:
              repo: pr.head.repo.full_name
            }
      - id: generate-token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
        with:
          app_id: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_ID }}
          private_key: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_PRIVATE_KEY }}
          repository: "${{ github.repository_owner }}/ecosystem-ci"
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
        id: trigger
        env:
          COMMENT: ${{ github.event.comment.body }}
--- a/.github/workflows/semantic-pull-requests.yml
+++ b/.github/workflows/semantic-pull-requests.yml
@ -7,14 +7,20 @@ on:
      - edited
      - synchronize

+permissions:
+  contents: read
+
 jobs:
  main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
    if: github.repository == 'nuxt/nuxt'
    runs-on: ubuntu-latest
    name: Semantic pull request
    steps:
      - name: Validate PR title
-        uses: amannn/action-semantic-pull-request@v5
+        uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 # v5.2.0
        with:
          scopes: |
            kit