Harden GitHub Actions: pin actions to SHAs and set explicit permissions (#1034)

cbruno10 · web-flow · commit 836bfb54977e · 2026-03-26T13:28:53.000-04:00
diff --git a/.github/workflows/01-powerpipe-release.yaml b/.github/workflows/01-powerpipe-release.yaml
@@ -21,6 +21,9 @@ on:
         required: true
         type: boolean
 
+permissions:
+  contents: write
+
 env:
   POWERPIPE_UPDATE_CHECK: false
   GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
@@ -188,7 +191,7 @@ jobs:
           path: pipe-fittings
 
       - name: Set up Docker
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Install Docker (if needed)
         run: |
diff --git a/.github/workflows/02-powerpipe-smoke-tests.yaml b/.github/workflows/02-powerpipe-smoke-tests.yaml
@@ -8,6 +8,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 env:
   # Version from input, used to download the correct release artifacts
   VERSION: ${{ github.event.inputs.version }}
diff --git a/.github/workflows/10-test-lint.yaml b/.github/workflows/10-test-lint.yaml
@@ -9,6 +9,9 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   golangci:
     name: Test Linting
diff --git a/.github/workflows/11-test-acceptance.yaml b/.github/workflows/11-test-acceptance.yaml
@@ -9,6 +9,9 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions:
+  contents: read
+
 env:
   POWERPIPE_UPDATE_CHECK: false
   SPIPETOOLS_TOKEN: ${{ secrets.SPIPETOOLS_TOKEN }}
@@ -63,7 +66,7 @@ jobs:
           go test -timeout 30s ./... -test.v
 
       - name: Set up Docker
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Install Docker (if needed)
         run: |
diff --git a/.github/workflows/12-test-post-release-linux-distros.yaml b/.github/workflows/12-test-post-release-linux-distros.yaml
@@ -8,6 +8,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 env:
   # Version from input, used to download the correct release artifacts
   VERSION: ${{ github.event.inputs.version }}
diff --git a/.github/workflows/30-stale.yaml b/.github/workflows/30-stale.yaml
@@ -10,6 +10,11 @@ on:
         default: "false"
         type: string
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/31-add-issues-to-pipeling-issue-tracker.yaml b/.github/workflows/31-add-issues-to-pipeling-issue-tracker.yaml
@@ -4,6 +4,9 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   add-to-project:
     uses: turbot/steampipe-workflows/.github/workflows/assign-issue-to-pipeling-issue-tracker.yml@main
