[StepSecurity] ci: Harden GitHub Actions (#488)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2026-02-04 05:56:21 +00:00 · 2024-11-14 05:19:16 -08:00
parent 186c2e4795
commit 091b5866d4
25 changed files with 135 additions and 66 deletions
--- a/.github/workflows/postgresql-13-pmm.yaml
+++ b/.github/workflows/postgresql-13-pmm.yaml
@@ -7,6 +7,9 @@ on:
    tags:
      - '[0-9]+.[0-9]+.[0-9]+*'

+permissions:
+  contents: read
+
 jobs:
  build:
    name: pg-13-pgsm-pmm-integration-test
@@ -14,7 +17,7 @@ jobs:
    timeout-minutes: 30
    steps:
      - name: Clone QA Integration repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: 'Percona-Lab/qa-integration'
          ref: 'main'
@@ -39,7 +42,7 @@ jobs:
        run: docker exec pgsql_pgsm_13 cat pmm-agent.log > ./pmm-ui-tests/tests/output/pmm-agent.log

      - name: Upload Tests Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        if: success() || failure()    # run this step even if previous step failed
        with:
          name: tests-artifact