Commit ff1ac1bc5e67

Vincent Demeester <vincent@sbr.pm>
2024-01-02 09:57:36
Hardened github workflows by pinning dependencies…
… and setting some things as readonly. Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent ca474b6
Changed files (2)
.github
workflows
build-systems.yaml
nix-auto-upgrade.yaml
.github/workflows/build-systems.yaml
@@ -1,5 +1,8 @@
 name: Nix Flake actions
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch: {}
   pull_request:
@@ -16,8 +19,8 @@ jobs:
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: cachix/install-nix-action@v24
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
       - id: set-matrix
         name: Generate Nix Matrix
         run: |
@@ -34,7 +37,7 @@ jobs:
       matrix: ${{fromJSON(needs.nix-matrix.outputs.matrix)}}
     steps:
       - name: Maximize build space
-        uses: AdityaGarg8/remove-unwanted-software@v1
+        uses: AdityaGarg8/remove-unwanted-software@6241eb8f15184023d3a01e295ab2bc0e67ecc06d # v1
         with:
           remove-android: 'true'
           remove-dotnet: 'true'
@@ -42,9 +45,9 @@ jobs:
         run: |
           echo "Free space:"
           df -h
-      - uses: actions/checkout@v4
-      - uses: cachix/install-nix-action@v24
-      - uses: cachix/cachix-action@v13
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+      - uses: cachix/cachix-action@6a2e08b5ebf7a9f285ff57b1870a4262b06e0bee # v13
         with:
           name: vdemeester
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
.github/workflows/nix-auto-upgrade.yaml
@@ -9,14 +9,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Install Nix
-        uses: cachix/install-nix-action@v24
+        uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
         with:
           extra_nix_config: |
             access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
       - name: Update flake.lock
-        uses: DeterminateSystems/update-flake-lock@v20
+        uses: DeterminateSystems/update-flake-lock@da2fd6f2563fe3e4f2af8be73b864088564e263d # v20
         with:
           pr-title: "Update flake.lock" # Title of PR to be created
           pr-labels: |                  # Labels to be set on the PR