[StepSecurity] ci: Harden GitHub Actions (#52)

Signed-off-by: StepSecurity Bot <[email protected]>
northwood-labs · Oct 27, 2023 · 5c8eb0f · 5c8eb0f
1 parent 2be9512
commit 5c8eb0f
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -10,6 +10,9 @@ on:
   schedule:
     - cron: 0 0 * * 0
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -34,14 +37,14 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
         with:
           category: /language:${{matrix.language}}