[StepSecurity] ci: Harden GitHub Actions (#488)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2026-02-04 05:56:21 +00:00 · 2024-11-14 05:19:16 -08:00
parent 186c2e4795
commit 091b5866d4
25 changed files with 135 additions and 66 deletions
--- a/.github/workflows/postgresql-16-pgdg-package.yml
+++ b/.github/workflows/postgresql-16-pgdg-package.yml
@@ -7,6 +7,9 @@ on:
    tags:
      - '[0-9]+.[0-9]+.[0-9]+*'

+permissions:
+  contents: read
+
 jobs:
  build:
    name: pg-16-pgdg-package-test
@@ -14,7 +17,7 @@ jobs:
    timeout-minutes: 30
    steps:
      - name: Clone pg_stat_monitor repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          path: 'src/pg_stat_monitor'

@@ -75,7 +78,7 @@ jobs:

      - name: Upload logs on fail
        if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: Regressions diff and postgresql log
          path: |