From 520a7ea58614346e303b10ecb73bab8419373b7d Mon Sep 17 00:00:00 2001 From: Boyan Velinov Date: Wed, 27 May 2026 17:27:42 +0300 Subject: [PATCH] Harden github actions --- .github/workflows/check-commit-message.yml | 5 ++++- .github/workflows/main.yml | 7 +++++-- .github/workflows/pull-request-build.yml | 9 ++++++--- .github/workflows/sonar-scan.yml | 8 ++++++-- 4 files changed, 21 insertions(+), 8 deletions(-) diff --git a/.github/workflows/check-commit-message.yml b/.github/workflows/check-commit-message.yml index 4a11e8b0..c2bca464 100644 --- a/.github/workflows/check-commit-message.yml +++ b/.github/workflows/check-commit-message.yml @@ -4,6 +4,9 @@ on: pull_request: types: [ synchronize, opened ] +permissions: + pull-requests: read + jobs: check_commit_message: name: Check Commit Message @@ -12,7 +15,7 @@ jobs: steps: - name: Check Commit Message id: commits - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const prNumber = context.payload.pull_request.number; diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ed9fb643..6d29b384 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -4,13 +4,16 @@ on: push: branches: [ "master" ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK 25 - uses: actions/setup-java@v3 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: java-version: '25' distribution: 'zulu' diff --git a/.github/workflows/pull-request-build.yml b/.github/workflows/pull-request-build.yml index 61168316..ce2cf02c 100644 --- a/.github/workflows/pull-request-build.yml +++ b/.github/workflows/pull-request-build.yml @@ -5,20 +5,23 @@ on: branches: [ master ] types: [opened, synchronize, reopened] +permissions: + contents: read + jobs: build: name: Build and analyze runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK 25 - uses: actions/setup-java@v3 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: java-version: '25' distribution: 'zulu' - name: Cache Maven packages - uses: actions/cache@v3 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: ~/.m2 key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} diff --git a/.github/workflows/sonar-scan.yml b/.github/workflows/sonar-scan.yml index e924eeb3..03d91b79 100644 --- a/.github/workflows/sonar-scan.yml +++ b/.github/workflows/sonar-scan.yml @@ -6,13 +6,17 @@ on: pull_request: branches: [ "master" ] +permissions: + contents: read + pull-requests: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK 25 - uses: actions/setup-java@v3 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: java-version: '25' distribution: 'zulu'