Merge pull request #60 from step-security-bot/stepsecurity_remediatio…

…n_1729181093 [StepSecurity] ci: Harden GitHub Actions
lima-vm · Oct 17, 2024 · b13c591 · b13c591
2 parents 7b67baa + 97f1634
commit b13c591
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
       attestations: write  # for provenances
     timeout-minutes: 20
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           # https://github.com/reproducible-containers/repro-get/issues/3
           fetch-depth: 0
@@ -66,7 +66,7 @@ jobs:
           gh attestation verify socket_vmnet-${version}-x86_64.tar.gz --owner lima-vm
           \`\`\`
           EOF
-      - uses: actions/attest-build-provenance@v1
+      - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
         if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
         with:
           subject-path: _artifacts/*

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -7,6 +7,9 @@ on:
       - 'release/**'
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   integration:
     name: Integration tests
@@ -19,7 +22,7 @@ jobs:
     runs-on: ${{ matrix.platform }}
     timeout-minutes: 40
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 1
       - name: Show host info
@@ -44,7 +47,7 @@ jobs:
       - name: Print launchd status (shared mode)
         run: launchctl print system/io.github.lima-vm.socket_vmnet
       - name: Fetch homebrew-core commit messages
-        uses: actions/checkout@v4
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           # needed by ./hack/brew-install-version.sh
           repository: homebrew/homebrew-core
@@ -60,7 +63,7 @@ jobs:
       - name: Test (shared mode)
         run: ./test/test.sh /var/run/socket_vmnet
 # Bridged mode cannot be tested on GHA
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: 1.23.x
       - name: Install Lima