Harden usage of GitHub Actions

.github/dependabot.yml

@@ -11,7 +11,11 @@ updates:
         dependency-type: "development"
       prod-dependencies:
         dependency-type: "production"
+    cooldown:
+      default-days: 7
   - package-ecosystem: github-actions
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7

.github/workflows/build-main.yml

@@ -6,17 +6,21 @@ on:
 
 env:
   IMAGE_NAME: preflight-trigger
-
+
+permissions: {}
+
 jobs:
   build-main:
     name: Build and push main snapshot images
+    permissions:
+      contents: read
     strategy: 
       matrix:
         architecture: [amd64]
         platform: [linux]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       with:
         persist-credentials: false
         # Get tags and all history in order to find latest tag in later step
@@ -27,14 +31,14 @@ jobs:
       run: echo "RELEASE_TAG=$(git describe --abbrev=0 --tags)" >> "${GITHUB_ENV}"
 
     - name: set short sha
-      run: echo SHA_SHORT=$(git rev-parse --short HEAD) >> $GITHUB_ENV
+      run: echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v4
+      uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
 
     - name: Build Image
       id: build-image
-      uses: redhat-actions/buildah-build@v2
+      uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
       with:
         image: ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
         # TODO: If we end up releasing for other architectures we'll need the below
@@ -50,7 +54,7 @@ jobs:
 
     - name: Push Image
       id: push-image
-      uses: redhat-actions/push-to-registry@v2
+      uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
       with:
         image: ${{ env.IMAGE_NAME }}
         # TODO: If we end up releasing for other architectures we'll need the below
@@ -61,23 +65,30 @@ jobs:
         password: ${{ secrets.REGISTRY_PASSWORD }}
 
     - name: Print image url
-      run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}"
+      run: echo "Image pushed to ${REGISTRY_PATHS}"
+      env:
+        REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }}
 
     outputs:
       imageName: ${{ env.IMAGE_NAME }}
       imageVersion: ${{ env.SHA_SHORT }}
 
   build-coverage:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      with:
+        persist-credentials: false
 
     - name: Install system deps
       run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev'
 
     - name: Set up Go
-      uses: actions/setup-go@v6
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
+        cache: false
         go-version-file: go.mod
 
     - name: Tidy

.github/workflows/build-release.yml

@@ -10,25 +10,32 @@ on:
 env:
   IMAGE_NAME: preflight-trigger
 
+permissions: {}
+
 jobs:
   build-release:
     name: Build and push tag images
+    permissions:
+      contents: read
     strategy: 
       matrix:
         architecture: [amd64]
         platform: [linux]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      with:
+        persist-credentials: false
+
     - name: Set Env Tags
-      run: echo RELEASE_TAG=$(echo $GITHUB_REF | cut -d '/' -f 3) >> $GITHUB_ENV
+      run: echo "RELEASE_TAG=$(echo "${GITHUB_REF}" | cut -d '/' -f 3)" >> "${GITHUB_ENV}"
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v4
+      uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
 
     - name: Build Image
       id: build-image
-      uses: redhat-actions/buildah-build@v2
+      uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
       with:
         image: ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
         # TODO: If we end up releasing for other architectures we'll need the below
@@ -43,7 +50,7 @@ jobs:
 
     - name: Push Image
       id: push-image
-      uses: redhat-actions/push-to-registry@v2
+      uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
       with:
         image: ${{ env.IMAGE_NAME }}
         # TODO: If we end up releasing for other architectures we'll need the below
@@ -54,7 +61,9 @@ jobs:
         password: ${{ secrets.REGISTRY_PASSWORD }}
 
     - name: Print image url
-      run: echo "Image pushed to ${{ steps.push-image.outputs.registry-paths }}"
+      run: echo "Image pushed to ${REGISTRY_PATHS}"
+      env:
+        REGISTRY_PATHS: ${{ steps.push-image.outputs.registry-paths }}
 
     outputs:
       imageName: ${{ env.IMAGE_NAME }}

.github/workflows/dependabot.yml

@@ -9,6 +9,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v5
+        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0

.github/workflows/go.yml

@@ -6,18 +6,25 @@ on:
     - main
     - release-*
 
+permissions: {}
+
 jobs:
   build:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      with:
+        persist-credentials: false
 
     - name: Install system deps
       run: 'sudo apt update && sudo apt install -y libgpgme-dev libbtrfs-dev libdevmapper-dev'
 
     - name: Set up Go
-      uses: actions/setup-go@v6
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
+        cache: false
         go-version-file: go.mod
 
     - name: Tidy