Merge pull request #204 from jmeridth/update-actions-sha-pins

zkoppert · web-flow · commit 31c3714bb1ea · 2026-06-03T16:32:29.000-07:00
ci: pin actions to SHAs and harden workflows
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,15 +6,25 @@ on:
       - "dependabot/**"
   pull_request:
 
-permissions:
-  contents: read
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Clone the repository
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           cache: npm
       - name: Install dependencies
diff --git a/.github/workflows/contributors.yml b/.github/workflows/contributors.yml
@@ -4,15 +4,20 @@ on:
   schedule:
     - cron: "3 2 1 * *"
 
-permissions:
-  discussions: write
+permissions: {}
 
 jobs:
   contributor_report:
     name: contributor reports
     runs-on: ubuntu-latest
+    permissions:
+      discussions: write # Create the monthly thank-you discussion via abirismyname/create-discussion
 
     steps:
+      - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - name: Get dates for last month
         shell: bash
         run: |
@@ -27,7 +32,7 @@ jobs:
           echo "END_DATE=$end_date" >> "$GITHUB_ENV"
 
       - name: Run contributor action
-        uses: github-community-projects/contributors@v2
+        uses: github-community-projects/contributors@4fda46a62ca1f1f1162c053c11d9576ae0cdda99 # v2.0.15
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           START_DATE: ${{ env.START_DATE }}
@@ -37,7 +42,7 @@ jobs:
           LINK_TO_PROFILE: "true"
 
       - name: Create GitHub Discussion
-        uses: abirismyname/create-discussion@v2.1.0
+        uses: abirismyname/create-discussion@c2b7c825241769dda523865ae444a879f6bbd0e0 # v2.1.0
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
