Pin third-party actions to a sha

dflook · dflook · commit f488777c1ffe · 2025-03-17T22:16:03.000Z
diff --git a/.github/workflows/base-image.yaml b/.github/workflows/base-image.yaml
@@ -36,7 +36,7 @@ jobs:
           echo "$DOCKER_TOKEN" | docker login --username danielflook --password-stdin
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
 
       - name: Base image
         id: build-and-push
diff --git a/.github/workflows/pull_request_review.yaml b/.github/workflows/pull_request_review.yaml
@@ -3,6 +3,9 @@ name: Test pull_request_review event
 on:
   - pull_request_review
 
+permissions:
+  contents: read
+
 jobs:
   apply:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -42,7 +42,7 @@ jobs:
           echo "$DOCKER_TOKEN" | docker login --username danielflook --password-stdin
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
 
       - name: Build action image
         id: image_build
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -98,15 +98,28 @@ jobs:
           ./actionlint example_workflows/*.yaml
 
       - name: Lint CHANGELOG
-        uses: DavidAnson/markdownlint-cli2-action@v19
+        uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265 # v19
         with:
           config: '.config/changelog.markdownlint.yaml'
           globs: 'CHANGELOG.md'
 
       - name: Lint Other Markdown
-        uses: DavidAnson/markdownlint-cli2-action@v19
+        uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265 # v19
         with:
           config: '.config/.markdownlint.yaml'
           globs: |
             docs/*.md
             **/README.md
+
+  ensure-pinned-actions:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@25ed13d0628a1601b4b44048e63cc4328ed03633 # v3
+        with:
+          allowlist: |
+            actions/
+            dflook/
diff --git a/.github/workflows/trigger-test-events.yaml b/.github/workflows/trigger-test-events.yaml
@@ -14,7 +14,7 @@ jobs:
       contents: write
     steps:
       - name: Repository Dispatch
-        uses: peter-evans/repository-dispatch@v2
+        uses: peter-evans/repository-dispatch@bf47d102fdb849e755b0b0023ea3e81a44b6f570 # v2
         with:
           event-type: test
           client-payload: '{"pull_request": { "url": "${{ github.event.pull_request.url }}" } }'
