From 0c8ef159dd170c2b614e12fb6e0eaf34e804ff69 Mon Sep 17 00:00:00 2001
From: Michael McLoughlin <mmcloughlin@gmail.com>
Date: Tue, 27 Apr 2021 21:52:11 -0700
Subject: [PATCH] ci: github actions hardening (#91)

Restrict permissions of github token. Pin action versions.

Following advice in briansmith/untrusted#50.
---
 .github/workflows/ci.yml      | 18 +++++++++++++-----
 .github/workflows/install.yml | 10 ++++++++--
 .github/workflows/release.yml | 12 ++++++++----
 .github/workflows/stress.yml  | 14 ++++++++++----
 4 files changed, 39 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9eb47c1..676d719 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,3 +1,8 @@
+name: ci
+
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -6,7 +11,6 @@ on:
   schedule:
     - cron: "33 11 * * 6"
 
-name: ci
 jobs:
   test:
     strategy:
@@ -16,17 +20,19 @@ jobs:
     runs-on: ${{ matrix.platform }}
     steps:
       - name: Install Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3
         with:
           go-version: ${{ matrix.go-version }}
       - name: Checkout code
-        uses: actions/checkout@v1
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
+        with:
+          persist-credentials: false
       - name: Build
         run: go build ./...
       - name: Test
         run: go test -coverprofile=coverage.out -covermode=count ./...
       - name: Upload Coverage
-        uses: codecov/codecov-action@v1.0.5
+        uses: codecov/codecov-action@967e2b38a85a62bd61be5529ada27ebc109948c2 #v1.4.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           file: coverage.out
@@ -40,7 +46,9 @@ jobs:
           echo GOPATH=${{ runner.workspace }} >> $GITHUB_ENV
           echo ${{ runner.workspace }}/bin >> $GITHUB_PATH
       - name: Checkout code
-        uses: actions/checkout@v1
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
+        with:
+          persist-credentials: false
       - name: Bootstrap
         run: ./script/bootstrap
       - name: Lint
diff --git a/.github/workflows/install.yml b/.github/workflows/install.yml
index 0c9660a..d03828a 100644
--- a/.github/workflows/install.yml
+++ b/.github/workflows/install.yml
@@ -1,3 +1,8 @@
+name: install
+
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -8,7 +13,6 @@ on:
   schedule:
     - cron: "47 18 * * *"
 
-name: install
 jobs:
   install:
     strategy:
@@ -17,7 +21,9 @@ jobs:
     runs-on: ${{ matrix.platform }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v1
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
+        with:
+          persist-credentials: false
       - name: Run Installer
         run: cat install.sh | sh -s -- -b ${{ runner.workspace }}/bin
       - name: Run Binary
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 768419c..a029eba 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,8 @@
 name: release
 
+permissions:
+  contents: write
+
 on:
   push:
     tags:
@@ -10,17 +13,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3
         with:
           go-version: 1.16.x
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@5e15885530fb01d81d1f24e8a6f54ebbd0fed7eb # v2.5.0
         with:
-          version: latest
+          version: v0.160.0
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/stress.yml b/.github/workflows/stress.yml
index fc67445..01f6198 100644
--- a/.github/workflows/stress.yml
+++ b/.github/workflows/stress.yml
@@ -1,8 +1,12 @@
+name: stress
+
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: "42 10 * * 3"
 
-name: stress
 jobs:
   test:
     strategy:
@@ -12,7 +16,7 @@ jobs:
     runs-on: ${{ matrix.platform }}
     steps:
       - name: Install Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3
         with:
           go-version: ${{ matrix.go-version }}
       - name: Configure Go Environment
@@ -20,13 +24,15 @@ jobs:
           echo GOPATH=${{ runner.workspace }} >> $GITHUB_ENV
           echo ${{ runner.workspace }}/bin >> $GITHUB_PATH
       - name: Checkout code
-        uses: actions/checkout@v1
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
+        with:
+          persist-credentials: false
       - name: Bootstrap
         run: ./script/bootstrap
       - name: Stress Test
         run: ./script/stress -c coverage.out
       - name: Upload Coverage
-        uses: codecov/codecov-action@v1.0.5
+        uses: codecov/codecov-action@967e2b38a85a62bd61be5529ada27ebc109948c2 #v1.4.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           file: coverage.out