chore: set explicit workflow permissions and pin down actions (#39)

Signed-off-by: tdruez <tdruez@aboutcode.org>

Author: tdruez

.github/workflows/analyze-docker-image.yml

@@ -1,15 +1,24 @@
-on: [push]
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
   scan-codebase:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
     name: Analyze a Docker image
     steps:
       - name: Get the action.yml from the current branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           sparse-checkout: action.yml
           sparse-checkout-cone-mode: false
+          persist-credentials: false
 
       - uses: ./
         with:

.github/workflows/find-vulnerabilities.yml

@@ -1,19 +1,30 @@
-on: [push]
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
   scan-codebase:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
     name: Scan codebase and find vulnerabilities
     steps:
       - name: Get the action.yml from the current branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           sparse-checkout: action.yml
           sparse-checkout-cone-mode: false
+          persist-credentials: false
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           path: scancode-inputs
+          persist-credentials: false
+
       - uses: ./
         with:
           pipelines: "scan_codebase,find_vulnerabilities"

.github/workflows/map-deploy-to-develop-template.yml

@@ -17,15 +17,19 @@ on:
 
 jobs:
   run-d2d-pipeline:
-    runs-on: 'ubuntu-latest'
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           repository: ${{ inputs.repository || github.repository }}
+          persist-credentials: false
 
       - name: Download build artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
         with:
           name: ${{ inputs['artifact-name'] }}
           path: ../scancode-inputs/
@@ -40,7 +44,7 @@ jobs:
           git archive --format=tar.gz -o ../scancode-inputs/from.tar.gz HEAD
 
       - name: Run D2D pipeline
-        uses: aboutcode-org/scancode-action@beta
+        uses: aboutcode-org/scancode-action@main
         with:
           pipelines: ${{ inputs.steps && format('map_deploy_to_develop:%s', inputs.steps) || 'map_deploy_to_develop' }}
           inputs-path: ../scancode-inputs

.github/workflows/map-deploy-to-develop.yml

@@ -1,15 +1,24 @@
-on: [push]
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
   scan-codebase:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
     name: Map deploy to develop
     steps:
       - name: Get the action.yml from the current branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           sparse-checkout: action.yml
           sparse-checkout-cone-mode: false
+          persist-credentials: false
 
       - uses: ./
         with:

.github/workflows/map-source-binary-boolean-py.yml

@@ -11,25 +11,28 @@ jobs:
   build-python-wheel:
       name: Build python wheel
       runs-on: ubuntu-24.04
+      permissions:
+        contents: read
 
       steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           repository: bastikr/boolean.py
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
-            python-version: 3.12
-  
+          python-version: 3.12
+
       - name: Install pypa/build and twine
         run: python -m pip install --user --upgrade build twine packaging pip setuptools
 
       - name: Build a binary wheel
         run: python -m build --wheel --outdir dist/
 
       - name: Upload wheel
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: wheel_archives
           path: dist/*.whl

.github/workflows/multi-runs.yml

@@ -1,19 +1,29 @@
-on: [push]
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
   multi-runs:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
     name: Ensure the action can be executed multiple times
     steps:
       - name: Get the action.yml from the current branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           sparse-checkout: action.yml
           sparse-checkout-cone-mode: false
+          persist-credentials: false
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           path: scancode-inputs
+          persist-credentials: false
 
       - uses: ./
         with:

.github/workflows/run-android-deploy-to-develop.yml

@@ -1,15 +1,24 @@
-on: [push]
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
   scan-codebase:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
     name: Run Android D2D
     steps:
       - name: Get the action.yml from the current branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           sparse-checkout: action.yml
           sparse-checkout-cone-mode: false
+          persist-credentials: false
 
       - uses: ./
         with:

.github/workflows/scan-codebase.yml

@@ -1,19 +1,30 @@
-on: [push]
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
   scan-codebase:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
     name: Scan codebase and check for compliance issues
     steps:
       - name: Get the action.yml from the current branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           sparse-checkout: action.yml
           sparse-checkout-cone-mode: false
+          persist-credentials: false
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           path: scancode-inputs
+          persist-credentials: false
+
       - uses: ./
         with:
           pipelines: "scan_codebase"

.github/workflows/scan-single-package.yml

@@ -1,18 +1,27 @@
-on: [push]
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
   scan-codebase:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
     name: Scan a package archive
     steps:
       - name: Get the action.yml from the current branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           sparse-checkout: action.yml
           sparse-checkout-cone-mode: false
+          persist-credentials: false
 
       - uses: ./
         with:
           pipelines: "scan_single_package"
           input-urls:
-            https://github.com/${GITHUB_REPOSITORY}/archive/${GITHUB_REF}.zip
+            https://github.com/${{ github.repository }}/archive/${{ github.ref }}.zip