Address code scanning permissions warnings (#27250)

2026-05-23 17:08:53 +00:00 · 2025-03-20 12:07:41 -05:00 · 2025-03-20 12:07:41 -05:00 · 0c81e7ba04
commit 0c81e7ba04
parent bc7b3f75f5
4 changed files with 14 additions and 8 deletions
--- a/.github/workflows/build-fleetd-base-msi.yml
+++ b/.github/workflows/build-fleetd-base-msi.yml
@ -84,7 +84,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

--- a/.github/workflows/ingest-maintained-apps.yml
+++ b/.github/workflows/ingest-maintained-apps.yml
@ -12,11 +12,14 @@ on:
    - cron: '0 21 * * *'

 permissions:
-  contents: write         # Required to push new branch
-  pull-requests: write    # Required to open PRs
+  contents: read
+  pull-requests: read

 jobs:
-  build:  
+  build:
+    permissions:
+      contents: write         # Required to push new branch
+      pull-requests: write    # Required to open PRs
    runs-on: ubuntu-latest
    timeout-minutes: 180

@ -31,7 +34,7 @@ jobs:
        run: echo "::set-output name=date::$(date +'%y%m%d%H%M')"

      - name: Checkout Fleet
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: fleetdm/fleet
          fetch-depth: 1
@ -39,7 +42,7 @@ jobs:
          path: fleet

      - name: Setup Go
-        uses: actions/setup-go@v4.1.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          cache: false
          go-version: '^1.23.4'
@ -51,7 +54,7 @@ jobs:
          go run cmd/maintained-apps/main.go

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8
        with:
          base: main
          path: fleet
--- a/.github/workflows/randokiller-go.yml
+++ b/.github/workflows/randokiller-go.yml
@ -34,7 +34,7 @@ jobs:
      json: ${{steps.get_config_json.outputs.json}}
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

--- a/.github/workflows/update-tuf-timestamp-signature.yaml
+++ b/.github/workflows/update-tuf-timestamp-signature.yaml
@ -11,6 +11,9 @@ defaults:
    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
    shell: bash

+permissions:
+  contents: read
+
 jobs:
  updates-update-timestamp:
    runs-on: ubuntu-latest