Merge pull request #4483 from github/jm_action_tags_and_permissions

fix: action permissions and tagging (shas)

Author: jmeridth

.github/dependabot.yml

@@ -1,12 +1,16 @@
+---
 version: 2
 updates:
-  - package-ecosystem: github-actions
+  - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: daily
-      time: "10:00"
-      timezone: Europe/Vienna
-    pull-request-branch-name:
-      separator: "-"
+      interval: "daily"
+    commit-message:
+      prefix: "chore(deps)"
     open-pull-requests-limit: 99
-    rebase-strategy: disabled
+    groups:
+      dependencies:
+        applies-to: version-updates
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/collections-renames.yml

@@ -3,30 +3,35 @@ name: Check and update renamed/removed collection items
 on:
   workflow_dispatch:
   schedule:
-    - cron:  "0 * * * *" # every hour
+    - cron: "0 * * * *" # every hour
+
+permissions:
+  contents: read
 
 jobs:
   update:
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     if: github.repository_owner == 'github'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
 
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984 # v1
         with:
           bundler-cache: true
 
       - name: Test collection with autofix and commit changes
-        uses: technote-space/create-pr-action@v2
+        uses: technote-space/create-pr-action@91114507cf92349bec0a9a501c2edf1635427bc5 # v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           AUTOCORRECT_RENAMED_REPOS: 1
         with:
           EXECUTE_COMMANDS: |
             bundle exec rake collections
-          COMMIT_MESSAGE: '✨ Autofixing renamed/removed collection items ✨'
-          COMMIT_NAME: 'GitHub Actions'
-          COMMIT_EMAIL: '[email protected]'
-          PR_BRANCH_NAME: 'update-collections-${PR_ID}'
-          PR_TITLE: '✨ Autofixing renamed/removed collection items ✨'
+          COMMIT_MESSAGE: "✨ Autofixing renamed/removed collection items ✨"
+          COMMIT_NAME: "GitHub Actions"
+          COMMIT_EMAIL: "[email protected]"
+          PR_BRANCH_NAME: "update-collections-${PR_ID}"
+          PR_TITLE: "✨ Autofixing renamed/removed collection items ✨"

.github/workflows/conflict.yml

@@ -4,6 +4,9 @@ on:
   pull_request:
   merge_group:
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

.github/workflows/jekyll_build.yml

@@ -8,35 +8,36 @@ on:
 
 permissions:
   contents: read
-  pages: write
-  id-token: write
-  
+
 concurrency:
   group: "pages"
   cancel-in-progress: true
 
 jobs:
   build:
+    permissions:
+      pages: write
+      id-token: write
     runs-on: ubuntu-latest
     steps:
-    - name: 📂 checkout
-      uses: actions/checkout@v4
+      - name: 📂 checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+
+      - name: 💎 setup ruby
+        uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # v1.152.0
+        with:
+          bundler-cache: true
+          cache-version: 0
 
-    - name: 💎 setup ruby
-      uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # v1.152.0
-      with:
-        bundler-cache: true
-        cache-version: 0
+      - name: 📄 setup pages
+        id: pages
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
 
-    - name: 📄 setup pages
-      id: pages
-      uses: actions/configure-pages@v5
+      - name: 🔨 install dependencies & build site
+        uses: actions/jekyll-build-pages@44a6e6beabd48582f863aeeb6cb2151cc1716697 # v1.0.13
 
-    - name: 🔨 install dependencies & build site
-      uses: actions/[email protected]
-      
-    - name: ⚡️ upload artifact
-      uses: actions/upload-pages-artifact@v3
+      - name: ⚡️ upload artifact
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
 
   deploy:
     needs: build
@@ -49,4 +50,4 @@ jobs:
     steps:
       - name: 🚀 deploy
         id: deployment
-        uses: actions/[email protected]
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5

.github/workflows/lint.yml

@@ -8,20 +8,23 @@ on:
   workflow_dispatch:
   merge_group:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
 
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984 # v1
         with:
           bundler-cache: true
 
       - name: Run linters
         if: ${{ github.event_name != 'merge_group' }}
-        uses: wearerequired/lint-action@v2
+        uses: wearerequired/lint-action@548d8a7c4b04d3553d32ed5b6e91eb171e10e7bb # v2
         with:
           auto_fix: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.repository_owner }}
           rubocop: true

.github/workflows/stale.yml

@@ -14,7 +14,7 @@ jobs:
       pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v9
+    - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9
       with:
         stale-pr-message: >
           This pull request has been automatically marked as stale because it has not

.github/workflows/test.yml

@@ -8,6 +8,9 @@ on:
   workflow_dispatch:
   merge_group:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
@@ -19,7 +22,7 @@ jobs:
           - all
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           fetch-depth: 0
 
@@ -40,7 +43,7 @@ jobs:
 
       - name: Setup Ruby
         if: ${{ steps.topics.outputs.changed || steps.collections.outputs.changed || steps.all.outputs.changed }}
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@f26937343756480a8cb3ae1f623b9c8d89ed6984 # v1
         with:
           bundler-cache: true
 

.gitignore

@@ -8,3 +8,4 @@ _site
 vendor
 .bundle
 .idea
+.tool-versions