Merge pull request #48 from cdlib/reduce_workflow_permissions

cscollett · web-flow · commit 251b9bbad79c · 2025-02-19T13:28:14.000-08:00
Add permissions and 3rd-party pinning
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -14,7 +17,8 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Set up Docker Build
-      uses: docker/setup-buildx-action@v3.4.0
+      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0 
+      # update w/ git ls-remote https://github.com/docker/setup-buildx-action.git | grep refs/tags/v
 
     - name: Build current Docker image with tests
       run: |
diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml
@@ -1,5 +1,8 @@
 name: Code Analysis
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/compatability-matrix.yml b/.github/workflows/compatability-matrix.yml
@@ -1,5 +1,8 @@
 name: Compatibility Matrix
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
 
diff --git a/.github/workflows/docker-matrix.yml b/.github/workflows/docker-matrix.yml
@@ -1,5 +1,8 @@
 name: Docker Matrix
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
 
@@ -18,7 +21,8 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Set up Docker Build
-      uses: docker/setup-buildx-action@v3.4.0
+      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0 
+      # update w/ git ls-remote https://github.com/docker/setup-buildx-action.git | grep refs/tags/v
 
     - name: Build current Docker image with tests
       run: |
