[StepSecurity] ci: Harden GitHub Actions (#488)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2026-02-04 05:56:21 +00:00 · 2024-11-14 05:19:16 -08:00
parent 186c2e4795
commit 091b5866d4
25 changed files with 135 additions and 66 deletions
--- a/.github/workflows/code-coverage-test.yml
+++ b/.github/workflows/code-coverage-test.yml
@@ -5,6 +5,9 @@ on:
    branches:
      - main

+permissions:
+  contents: read
+
 jobs:
  build:
    name: coverage-test
@@ -13,7 +16,7 @@ jobs:

    steps:
      - name: Clone postgres repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: 'postgres/postgres'
          ref: 'REL_15_STABLE'
@@ -80,7 +83,7 @@ jobs:
          pg_ctl -D /opt/pgsql/data -l logfile start

      - name: Clone pg_stat_monitor repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          path: 'src/pg_stat_monitor'

@@ -110,7 +113,7 @@ jobs:
        working-directory: src/pg_stat_monitor

      - name: Upload
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
        with:
          verbose: true
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -127,7 +130,7 @@ jobs:

      - name: Upload logs on fail
        if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: Regressions diff and postgresql log
          path: |