fix(ci): pin GitHub Actions to commit SHAs and restrict GITHUB_TOKEN permissions

markuslf · markuslf · commit b87a4e421267 · 2026-04-08T11:48:03.000+02:00
Resolve OpenSSF Scorecard alerts for TokenPermissions and PinnedDependencies
by pinning all GitHub Actions to commit SHAs, hash-pinning pip install commands,
and moving write permissions from workflow-level to job-level.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: 'Harden Runner'
-        uses: 'step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594' # v2.16.0
+        uses: 'step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d' # v2.16.1
         with:
           egress-policy: 'audit'
 
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: 'ubuntu-latest'
     steps:
       - name: 'Harden Runner'
-        uses: 'step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594' # v2.16.0
+        uses: 'step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d' # v2.16.1
         with:
           egress-policy: 'audit'
 
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -32,7 +32,9 @@ jobs:
           python-version: '3.12'
 
       - name: 'Install dependencies'
-        run: 'pip install mkdocs mkdocs-material'
+        run: |
+          pip install --require-hashes --requirement /dev/stdin <<< "mkdocs==1.6.1 --hash=sha256:db91759624d1647f3f34aa0c3f327dd2601beae39a366d6e064c03468d35c20e"
+          pip install --require-hashes --requirement /dev/stdin <<< "mkdocs-material==9.7.6 --hash=sha256:71b84353921b8ea1ba84fe11c50912cc512da8fe0881038fcc9a0761c0e635ba"
 
       - name: 'Generate docs structure'
         run: 'python3 tools/build-docs'
diff --git a/.github/workflows/lf-build.yml b/.github/workflows/lf-build.yml
@@ -15,14 +15,15 @@ on:
       - 'v*'
 
 # modify the default permissions granted to the GITHUB_TOKEN
-permissions:
-  contents: 'read' # to checkout the code
-  packages: 'write' # to push to GitHub Container Registry
+permissions: 'read-all'
 
 jobs:
 
   build:
     runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'read' # to checkout the code
+      packages: 'write' # to push to GitHub Container Registry
 
     steps:
 
@@ -70,7 +71,7 @@ jobs:
       - name: 'Install Ansible Builder'
         run: |
           python3 -m pip install --upgrade pip
-          pip install ansible-builder
+          pip install --require-hashes --requirement /dev/stdin <<< "ansible-builder==3.1.1 --hash=sha256:a8246022edb92ca27ea95e87c7af30bcb2752f108dcc75fbf96e77196dff1072"
 
       - name: 'Strip badges from README.md (not rendered correctly on Galaxy)'
         run: |
diff --git a/.github/workflows/lf-release.yml b/.github/workflows/lf-release.yml
@@ -6,12 +6,13 @@ on:
       - 'v*'
 
 # modify the default permissions granted to the GITHUB_TOKEN
-permissions:
-  contents: 'write' # to push to the repo and create the release
+permissions: 'read-all'
 
 jobs:
   release:
     runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'write' # to push to the repo and create the release
 
     steps:
 
diff --git a/.github/workflows/pre-commit-autoupdate.yml b/.github/workflows/pre-commit-autoupdate.yml
@@ -5,13 +5,14 @@ on:
     - cron: '0 8 * * 1'
   workflow_dispatch: {}
 
-permissions:
-  contents: 'write'
-  pull-requests: 'write'
+permissions: 'read-all'
 
 jobs:
   update:
     runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'write'
+      pull-requests: 'write'
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
@@ -27,7 +28,7 @@ jobs:
           python-version: '3.12'
 
       - name: 'Install pre-commit'
-        run: 'pip install pre-commit'
+        run: 'pip install --require-hashes --requirement /dev/stdin <<< "pre-commit==4.5.1 --hash=sha256:3b3afd891e97337708c1674210f8eba659b52a38ea5f822ff142d10786221f77"'
 
       - name: 'Run pre-commit autoupdate'
         run: 'pre-commit autoupdate'
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: 'Harden Runner'
-        uses: 'step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594' # v2.16.0
+        uses: 'step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d' # v2.16.1
         with:
           egress-policy: 'audit'
 
