Merge pull request #929 from github/security-fixes

yoannchaudet · web-flow · commit cd7369a21e3e · 2024-11-27T15:12:37.000-08:00
Fix security issues in various workflows
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
@@ -5,10 +5,14 @@ on:
     tags: [ 'v*' ]
   pull_request:
     branches: [ master ]
- 
+
 env:
   REGISTRY: ghcr.io
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -18,23 +22,23 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Get Docker Metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}
 
       - name: Build Docker Image and Push to Container Registry
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
diff --git a/.github/workflows/publish-gem.yml b/.github/workflows/publish-gem.yml
@@ -4,21 +4,24 @@ on:
   release:
     types: [released]
 
+permissions:
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc
         with:
           ruby-version: "3.3"
       - name: Build gem
         run: |
           gem build github-pages.gemspec
       - name: Publish gem
         env:
-          GEM_HOST_API_KEY: ${{ secrets.PAGES_GEM_PUBLISH }}  
+          GEM_HOST_API_KEY: ${{ secrets.PAGES_GEM_PUBLISH }}
         run: |
           gem push github-pages-*.gem
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -1,5 +1,7 @@
 on: push
 name: cibuild on push
+permissions:
+  contents: read
 jobs:
   build:
     name: "GitHub Pages Tests"
