Fixed security vuln (#83)

.github/workflows/markdown.yml

@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   markdown-lint:
     name: Lint markdown files

.github/workflows/test.yml

@@ -19,6 +19,9 @@ concurrency:
 env:
   program: "cbridge"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   copyright:
     runs-on: ubuntu-20.04
@@ -129,7 +132,7 @@ jobs:
           check-latest: true
 
       - name: Install go-junit-report
-        run: go install github.com/jstemmer/go-junit-report/v2@latest
+        run: go install github.com/jstemmer/go-junit-report/v2@14d61e6e75e3f3c74551d757ad936e8e88014464 # v2.1.0
 
       - name: Run tests
         run: |
@@ -154,6 +157,9 @@ jobs:
     name: "Publish Tests Results"
     needs: [ test ]
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      pull-requests: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1

.github/workflows/tpip-check.yml

@@ -18,19 +18,19 @@ concurrency:
 env:
   report_name: "third_party_licenses.md"
 
-permissions:
-  contents: read
-
+permissions:
+  contents: read
+
 jobs:
   check-licenses:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
-        with:
-          egress-policy: audit
-
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
@@ -43,7 +43,7 @@ jobs:
         run:  go mod tidy
 
       - name: Install go-licenses
-        run:  go install github.com/google/go-licenses@latest
+        run:  go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e # v1.6.0
 
       - name: Generate TPIP Report
         run:  |
@@ -67,19 +67,19 @@ jobs:
     # Running this job only on specific event
     # in order to have workaround for issue
     # related to deletion of GH checks/status data
-    permissions:
-      contents: write  # for peter-evans/create-pull-request to create branch
-      pull-requests: write  # for peter-evans/create-pull-request to create a PR
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     if: (github.event_name == 'schedule') || (github.event_name == 'workflow_dispatch')
     needs: [ check-licenses ]
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
-        with:
-          egress-policy: audit
-
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.ref }}