From b620d2b7d8b8c998cd497db94d54e823265b2fd7 Mon Sep 17 00:00:00 2001
From: Guillaume Ross <guillaume@fleetdm.com>
Date: Tue, 15 Mar 2022 14:44:30 -0400
Subject: [PATCH] Fix code scanning issues with golangci-lint.yml (#4606)

Making permissions more restricted to reduce impact if token leaked, and pinning dependencies more strictly.
---
 .github/workflows/golangci-lint.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index db39eb34eb..0e14e6ab0c 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -11,14 +11,20 @@ on:
       - '**.go'
   workflow_dispatch: # Manual
 
+permissions:
+  contents: read
+
 jobs:
   golangci:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018 # v2
         with:
           # Required: the version of golangci-lint is required and must be
           # specified without patch version: we always use the latest patch