ci: make some scorecard security suggestions

Signed-off-by: Asra <[email protected]>
asraa · Oct 9, 2024 · b87ee06 · b87ee06
1 parent 2391792
commit b87ee06
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 8 deletions.
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -1,4 +1,5 @@
 name: Build website, deploy to GH pages if on main
+permissions: read-all
 
 on:
   push:
@@ -42,7 +43,7 @@ jobs:
 
     # Please update the local install instructions at docs/README.md if changing node version
     - name: Setup Node
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
       with:
         node-version: '18'
         cache: 'npm'

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -1,14 +1,17 @@
 name: Nightly release
-permissions:
-  contents: write
-  # Packages write permission required to update a release
-  packages: write
+
+permissions: read-all
+
 on:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * *'
 jobs:
   build-and-test:
+  permissions:
+    contents: write
+    # Packages write permission required to update a release
+    packages: write
     runs-on:
       labels: ubuntu-20.04-8core
     steps:

diff --git a/.github/workflows/scripts_test.yml b/.github/workflows/scripts_test.yml
@@ -24,8 +24,8 @@ jobs:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements-dev.txt
+          python -m pip install --upgrade pip --require-hashes
+          pip install -r requirements-dev.txt --require-hashes
       - name: Run tests
         run: |
           python -m pytest
diff --git a/docs/Dockerfile b/docs/Dockerfile
@@ -1,4 +1,4 @@
-FROM klakegg/hugo:ext-alpine
+FROM klakegg/hugo:ext-alpine@sha256:536dd4805d0493ee13bf1f3df3852ed1f26d1625983507c8c56242fc029b44c7
 
 RUN apk add git && \
   git config --global --add safe.directory /src