From b87ee064ef02e01b0b1156b908aa25654445d2e3 Mon Sep 17 00:00:00 2001
From: Asra <asraa@google.com>
Date: Wed, 9 Oct 2024 21:25:08 +0000
Subject: [PATCH] ci: make some scorecard security suggestions

Signed-off-by: Asra <asraa@google.com>
---
 .github/workflows/docs.yml         |  3 ++-
 .github/workflows/nightly.yml      | 11 +++++++----
 .github/workflows/scripts_test.yml |  4 ++--
 docs/Dockerfile                    |  2 +-
 4 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 568e10ea35..53c7d5d3f2 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,4 +1,5 @@
 name: Build website, deploy to GH pages if on main
+permissions: read-all
 
 on:
   push:
@@ -42,7 +43,7 @@ jobs:
 
     # Please update the local install instructions at docs/README.md if changing node version
     - name: Setup Node
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
       with:
         node-version: '18'
         cache: 'npm'
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index f2fba4d016..9d6fa59b88 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -1,14 +1,17 @@
 name: Nightly release
-permissions:
-  contents: write
-  # Packages write permission required to update a release
-  packages: write
+
+permissions: read-all
+
 on:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * *'
 jobs:
   build-and-test:
+  permissions:
+    contents: write
+    # Packages write permission required to update a release
+    packages: write
     runs-on:
       labels: ubuntu-20.04-8core
     steps:
diff --git a/.github/workflows/scripts_test.yml b/.github/workflows/scripts_test.yml
index be40ac5618..f463818097 100644
--- a/.github/workflows/scripts_test.yml
+++ b/.github/workflows/scripts_test.yml
@@ -24,8 +24,8 @@ jobs:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements-dev.txt
+          python -m pip install --upgrade pip --require-hashes
+          pip install -r requirements-dev.txt --require-hashes
       - name: Run tests
         run: |
           python -m pytest
diff --git a/docs/Dockerfile b/docs/Dockerfile
index 4e653452e0..c976341820 100644
--- a/docs/Dockerfile
+++ b/docs/Dockerfile
@@ -1,4 +1,4 @@
-FROM klakegg/hugo:ext-alpine
+FROM klakegg/hugo:ext-alpine@sha256:536dd4805d0493ee13bf1f3df3852ed1f26d1625983507c8c56242fc029b44c7
 
 RUN apk add git && \
   git config --global --add safe.directory /src