CI: set permissions, update and pin actions, CodeQL for actions (#6073)

* CI: reduce default permissions to minimum * CI: update pin actions Most of them. CodeQL and action-gh-release is untouched for now. Immutable actions and actions/* are pinned to version, other actions are pinned to hash. * CI: make use of archive: false in upload-artifact also set compression level and error behavior for scan-build upload. * CI: update codeql and enable scanning actions
2026-03-30 23:43:20 -07:00 · 2026-03-30 19:46:43 +00:00
parent c640d2fa24
commit 2ee20a3ac4
10 changed files with 71 additions and 50 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -19,6 +19,8 @@ on:
 env:
  REGISTRY: ghcr.io

+permissions: {}
+
 jobs:
  prepare:
    runs-on: ubuntu-latest
@@ -29,7 +31,7 @@ jobs:
      package-name: ${{ steps.package.outputs.name }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2

      - name: Set lowercase image name
        id: image
@@ -43,7 +45,7 @@ jobs:

      - name: Extract metadata
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6.0.0
        with:
          images: ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}
          tags: |
@@ -92,13 +94,13 @@ jobs:
            cache-scope: arm64
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -115,7 +117,7 @@ jobs:
          echo "tags=$(IFS=','; echo "${suffixed[*]}")" >> $GITHUB_OUTPUT

      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7.0.0
        with:
          context: .
          file: ./Dockerfile
@@ -135,7 +137,7 @@ jobs:
      packages: write
    steps:
      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}