diff --git a/.github/workflows/Semgrep.yml b/.github/workflows/Semgrep.yml index f31369bec..57b7221a3 100644 --- a/.github/workflows/Semgrep.yml +++ b/.github/workflows/Semgrep.yml @@ -31,7 +31,7 @@ jobs: # has a bug where `semgrep ci --sarif` counts nosemgrep-suppressed findings as # blocking and exits non-zero (fixed in 1.164.0), so inline `// nosemgrep` # suppressions were ignored. See https://semgrep.dev/docs CHANGELOG v1.164.0. - image: semgrep/semgrep:1.164.0 + image: semgrep/semgrep@sha256:207983631beecdbe7fa29196c7f4a7a5f29033933cdb76c687ce4a672e07618d # 1.164.0 # Skip any PR created by dependabot to avoid permission issues, and skip the # automated release PR (opened by github-actions[bot], same repo, release/* diff --git a/.github/workflows/executable-check.yml b/.github/workflows/executable-check.yml index 335905545..1b4719914 100644 --- a/.github/workflows/executable-check.yml +++ b/.github/workflows/executable-check.yml @@ -34,8 +34,8 @@ jobs: && startsWith(github.head_ref, 'release/')) }} runs-on: macos-latest steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 14 architecture: x64 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 18a1038ee..ad7389b22 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -4,6 +4,9 @@ on: branches: [master] pull_request: workflow_dispatch: +permissions: + contents: read + jobs: build: name: Build diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 6ab2edb02..ff9f836d2 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -4,6 +4,9 @@ on: branches: [master] pull_request: workflow_dispatch: +permissions: + contents: read + jobs: build: name: Build