ci: pin the codeql action to SHAs

It's a follow-up to https://github.com/systemd/systemd/pull/21316. Judging by https://github.com/evverx/systemd/pull/36, Dependabot supports their release cycle
ci: mimic the "restricted" mode
2026-04-06 23:24:52 +02:00 · 2021-11-14 10:42:04 +00:00 · 2021-11-14 10:41:06 +00:00
7 changed files with 15 additions and 9 deletions
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@ -12,7 +12,8 @@ on:
      - 'src/**'
      - 'test/fuzz/**'

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  build:
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@ -5,7 +5,8 @@

 name: CIFuzz

-permissions: read-all
+permissions:
+  contents: read

 on:
  pull_request:
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -29,14 +29,14 @@ jobs:
      uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@5581e08a65fc3811c3ac78939dd59e7a8adbf003
      with:
        languages: ${{ matrix.language }}

    - run: sudo -E .github/workflows/unit_tests.sh SETUP

    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@5581e08a65fc3811c3ac78939dd59e7a8adbf003

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@5581e08a65fc3811c3ac78939dd59e7a8adbf003
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@ -9,7 +9,8 @@ on:
    # Run Coverity daily at midnight
    - cron:  '0 0 * * *'

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  build:
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@ -10,7 +10,8 @@ on:
      - main
      - v[0-9]+-stable

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  build:
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@ -14,7 +14,8 @@ on:
      - main
      - v[0-9]+-stable

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  ci:
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@ -9,7 +9,8 @@ on:
      - main
      - v[0-9]+-stable

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  build: