From 66384d3f13c60dfaf4736b1fea4fbc668995b485 Mon Sep 17 00:00:00 2001
From: Dan Barr <danbarr@users.noreply.github.com>
Date: Fri, 10 Jan 2025 17:22:22 -0500
Subject: [PATCH] Update GitHub Actions security (#28)

* Pin GitHub Actions to SHA

* Add permissions to reusable workflows
---
 .github/workflows/_security-checks.yaml | 3 +++
 .github/workflows/_static-checks.yaml   | 3 +++
 .github/workflows/on-pr.yaml            | 1 -
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/_security-checks.yaml b/.github/workflows/_security-checks.yaml
index b6d9756..269cfb0 100644
--- a/.github/workflows/_security-checks.yaml
+++ b/.github/workflows/_security-checks.yaml
@@ -3,6 +3,9 @@ name: Security checks
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   trivy:
     name: Trivy scan
diff --git a/.github/workflows/_static-checks.yaml b/.github/workflows/_static-checks.yaml
index 8e8b6b1..4868e9f 100644
--- a/.github/workflows/_static-checks.yaml
+++ b/.github/workflows/_static-checks.yaml
@@ -3,6 +3,9 @@ name: Static checks
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint and format checks
diff --git a/.github/workflows/on-pr.yaml b/.github/workflows/on-pr.yaml
index 6cec6a6..ebef0ee 100644
--- a/.github/workflows/on-pr.yaml
+++ b/.github/workflows/on-pr.yaml
@@ -14,4 +14,3 @@ jobs:
   static-checks:
     name: Static checks
     uses: ./.github/workflows/_static-checks.yaml
-    secrets: inherit