From bf2226b8f60230819dad60ac9956bc8a24bae87b Mon Sep 17 00:00:00 2001
From: Srinandan Sridhar <13950006+srinandan@users.noreply.github.com>
Date: Tue, 5 Nov 2024 08:51:34 -0800
Subject: [PATCH] chore: restrict token permissions #566 (#567)

---
 .github/workflows/codeql-analysis.yml  |  2 +-
 .github/workflows/docker-publish.yml   | 17 +++++++++--------
 .github/workflows/golangci-lint.yml    |  5 ++---
 .github/workflows/gorelease-action.yml |  2 +-
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b0f9a88a1..541b4c1ba 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -24,7 +24,7 @@
 # supported CodeQL languages.
 #
 name: "CodeQL"
-
+permissions: read-all
 on:
   push:
     branches: [ "main" ]
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 1ba57cfbb..949793afd 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -19,6 +19,7 @@ name: apigeecli Container Release
 # separate terms of service, privacy policy, and support
 # documentation.
 
+permissions: read-all
 on:
   push:
     # Publish semver tags as releases.
@@ -54,19 +55,19 @@ jobs:
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v3.5.0
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 #v2.1.0
 
       - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@v2.5.0
+        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c #v2.5.0
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a #v2.1.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -76,7 +77,7 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v4.4.0
+        uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e #v4.4.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -90,7 +91,7 @@ jobs:
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 #v6
         with:
           context: .
           file: Dockerfile
@@ -121,14 +122,14 @@ jobs:
           cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
 
       - name: Generate SBOM
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@fc46e51fd3cb168ffb36c6d1915723c47db58abb #0.17.7
         with:
           format: 'spdx-json'
           output-file: 'sbom.spdx.json'
           image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
 
       - name: Publish SBOM
-        uses: anchore/sbom-action/publish-sbom@v0
+        uses: anchore/sbom-action/publish-sbom@fc46e51fd3cb168ffb36c6d1915723c47db58abb #0.17.7
         with:
           sbom-artifact-match: ".*\\.spdx$"
 
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 90f22405c..20b50f8fc 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -13,6 +13,7 @@
 # limitations under the License.
 
 name: golangci-lint
+permissions: read-all
 on:
   push:
     branches:
@@ -20,8 +21,6 @@ on:
   pull_request:
     branches:
       - '**'
-permissions:
-  contents: read
 jobs:
   golangci:
     name: lint
@@ -33,7 +32,7 @@ jobs:
           cache: false
       - uses: actions/checkout@v4
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 #v6.1.1
         with:
           version: latest
           args: --timeout=4m
diff --git a/.github/workflows/gorelease-action.yml b/.github/workflows/gorelease-action.yml
index 53dd0987e..21426e8e7 100644
--- a/.github/workflows/gorelease-action.yml
+++ b/.github/workflows/gorelease-action.yml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 name: apigeecli Binary Release
-
+permissions: read-all
 on:
   push:
     # Publish semver tags as releases.