Merge pull request #450 from step-security-bot/stepsecurity_remediati…

…on_1669782407 [StepSecurity] ci: Harden GitHub Actions
ruby · Nov 30, 2022 · 1d387b0 · 1d387b0
2 parents 30fbf4e + 3bf3cd7
commit 1d387b0
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 6 deletions.
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -2,12 +2,15 @@ name: coverage
 
 on: [push, pull_request]
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: ruby/setup-ruby@v1
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: ruby/setup-ruby@c7079efafd956afb5d823e8999c2506e1053aefa # v1.126.0
       with:
         ruby-version: '3.0'
     - name: Install dependencies

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -2,13 +2,16 @@ name: lint
 
 on: [push, pull_request]
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
-    - uses: actions/checkout@v3
-    - uses: ruby/setup-ruby@v1
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: ruby/setup-ruby@c7079efafd956afb5d823e8999c2506e1053aefa # v1.126.0
       with:
         ruby-version: '3.0'
         bundler-cache: true

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -2,6 +2,9 @@ name: test
 
 on: [push, pull_request]
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   test:
     runs-on: ${{ matrix.os }}
@@ -17,8 +20,8 @@ jobs:
           - os: windows-latest
             ruby: jruby
     steps:
-    - uses: actions/checkout@v3
-    - uses: ruby/setup-ruby@v1
+    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+    - uses: ruby/setup-ruby@c7079efafd956afb5d823e8999c2506e1053aefa # v1.126.0
       with:
         ruby-version: ${{ matrix.ruby }}
     - name: Install dependencies