chore: set explicit workflow permissions and pin down actions (#495)

Signed-off-by: tdruez <tdruez@aboutcode.org>

Author: tdruez

.github/workflows/create-github-release.yml

@@ -9,10 +9,12 @@ on:
 jobs:
   create-github-release:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write  # needed to create releases and upload assets
 
     steps:
       - name: Create a GitHub release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b  # v2.5.0
         with:
           generate_release_notes: true
           draft: false

.github/workflows/find-vulnerabilities.yml

@@ -10,16 +10,20 @@ on:
 jobs:
   scan-codebase:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
     name: Inspect packages with ScanCode.io
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           path: scancode-inputs
           sparse-checkout: pyproject.toml
           sparse-checkout-cone-mode: false
+          persist-credentials: false  # do not keep the token around
 
       - name: Fail on known vulnerabilities
-        uses: aboutcode-org/scancode-action@main
+        uses: aboutcode-org/scancode-action@8adbf888f487c3cdf6c15386035769cd03a94c66
         with:
           pipelines: "inspect_packages:StaticResolver,find_vulnerabilities"
           check-compliance: true

.github/workflows/pr-quality.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-24.04
     name: Detects and automatically closes low-quality and AI slop PRs
     steps:
-      - uses: peakoss/anti-slop@v0
+      - uses: peakoss/anti-slop@e158eeefe5c43e1d3ba8533b84e0e35d9d6761de
         with:
           # Number of check failures needed before failure actions are triggered
           max-failures: 3

.github/workflows/publish-docker-image.yml

@@ -22,15 +22,19 @@ jobs:
     permissions:
       contents: read
       packages: write
+      attestations: write
+      id-token: write
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false  # do not keep the token around
 
       # Uses the `docker/login-action` action to log in to the Container registry using
       # the account and password that will publish the packages.
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -42,7 +46,7 @@ jobs:
       # The `images` value provides the base name for the tags and labels.
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051  # v5.10.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
@@ -53,11 +57,22 @@ jobs:
       # It uses the `tags` and `labels` parameters to tag and label the image with
       # the output from the "meta" step.
       - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        id: push
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8  # v6.19.2
         with:
           context: .
           push: true
           tags: |
             ${{ steps.meta.outputs.tags }}
             ${{ env.REGISTRY }}/aboutcode-org/dejacode:latest
           labels: ${{ steps.meta.outputs.labels }}
+
+      # This step generates an artifact attestation for the image, which is an
+      # unforgeable statement about where and how it was built.
+      # It increases supply chain security for people who consume the image.
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  #  v4.1.0
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/run-unit-tests-docker.yml

@@ -10,10 +10,14 @@ on:
 jobs:
   run-unit-tests:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false  # do not keep the token around
 
       - name: Generate the .env file and the SECRET_KEY
         run: make envfile

.github/workflows/run-unit-tests.yml

@@ -16,10 +16,12 @@ env:
 jobs:
   run-unit-tests:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
 
     services:
       postgres:
-        image: postgres:16
+        image: postgres:16.13
         env:
           POSTGRES_DB: ${{ env.DATABASE_NAME }}
           POSTGRES_USER: ${{ env.DATABASE_USER }}
@@ -35,10 +37,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false  # do not keep the token around
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: "3.14"
 
@@ -59,7 +63,7 @@ jobs:
         run: make check
 
       - name: Start Redis
-        uses: supercharge/redis-github-action@1.8.1
+        uses: supercharge/redis-github-action@bc274cb7238cd63a45029db04ee48c07a72609fd  # v1.8.1
 
       - name: Build the documentation
         run: make docs