ci: pin GitHub Actions (with pinact)

philpennock · philpennock · commit ebebda8806f1 · 2025-05-27T20:51:21.000-04:00
diff --git a/.github/workflows/pushes.yaml b/.github/workflows/pushes.yaml
@@ -14,6 +14,14 @@ on:
       - 'wip_*'
   pull_request:
 
+permissions: {}
+  # Control the GITHUB_TOKEN permissions.
+  # By having this block, all permissions not listed here are set to none.
+  # Available permissions listed at:
+  #   <https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token>
+  # Which API calls need which permissions at what level, listed at:
+  #   <https://docs.github.com/en/rest/reference/permissions-required-for-github-apps>
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -24,18 +32,20 @@ jobs:
             canonical: true
           - go: 'oldstable'
             canonical: false
+    permissions:
+      contents: read
 
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           # security posture improvement:
           persist-credentials: false
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: ${{ matrix.go }}
 
@@ -53,7 +63,7 @@ jobs:
         # These are independent of how the matrix is setup, or if a matrix is even used.
 
       - name: Go caches
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           # (This bit copied from the actions/setup-go@v2 version)
           # In order:
@@ -103,7 +113,7 @@ jobs:
           go test -v -tags=integration -coverprofile=${{ runner.temp }}/profile.cov ./...
 
       - name: Send coverage
-        uses: shogo82148/actions-goveralls@v1
+        uses: shogo82148/actions-goveralls@e6875f831db61e6abffbd8df91a2eb6cd24b46c9 # v1.9.1
         with:
           path-to-profile: ${{ runner.temp }}/profile.cov
           flag-name: ${{ steps.go-settings.outputs.go-version }}
@@ -116,12 +126,12 @@ jobs:
     steps:
 
       - name: coveralls.io completion notification
-        uses: shogo82148/actions-goveralls@v1
+        uses: shogo82148/actions-goveralls@e6875f831db61e6abffbd8df91a2eb6cd24b46c9 # v1.9.1
         with:
           parallel-finished: true
 
       - name: Notify PT Slack
-        uses: rtCamp/action-slack-notify@v2
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
         env:
           SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_PT_AUTOBUILDS }}
 
