update GH actions using stepsecurity tool

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
cert-manager · Jul 3, 2024 · bc93e02 · bc93e02
1 parent cb3ebf9
commit bc93e02
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 7 deletions.
diff --git a/.github/workflows/go-auto-upgrade.yaml b/.github/workflows/go-auto-upgrade.yaml
@@ -6,6 +6,9 @@ on:
     # 10pm daily
     - cron: '0 22 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   go_upgrade_pr:
     runs-on: ubuntu-latest
@@ -21,7 +24,7 @@ jobs:
           echo "This workflow should not be run on a branch other than main."
           exit 1
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - run: |
           git checkout -B "go-version-bump"
@@ -47,7 +50,7 @@ jobs:
           git push -f origin go-version-bump
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { repo, owner } = context.repo;

diff --git a/modules/go/base/.github/workflows/govulncheck.yaml b/modules/go/base/.github/workflows/govulncheck.yaml
@@ -10,18 +10,21 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

diff --git a/modules/repository-base/base/.github/workflows/make-self-upgrade.yaml b/modules/repository-base/base/.github/workflows/make-self-upgrade.yaml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   self_upgrade:
     runs-on: ubuntu-latest
@@ -27,13 +30,13 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 
@@ -64,7 +67,7 @@ jobs:
           git push -f origin "$SELF_UPGRADE_BRANCH"
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { repo, owner } = context.repo;