From 679a0e03b9a31df7bdf1fbb9c7e9dc010e3f66a1 Mon Sep 17 00:00:00 2001
From: Dan Barr <dan@stacklok.com>
Date: Thu, 9 Jan 2025 17:56:25 -0500
Subject: [PATCH 1/2] Pin GitHub Actions to SHA

---
 .github/workflows/_security-checks.yaml | 8 ++++----
 .github/workflows/on-pr.yaml            | 1 -
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/_security-checks.yaml b/.github/workflows/_security-checks.yaml
index d84eeda..b6d9756 100644
--- a/.github/workflows/_security-checks.yaml
+++ b/.github/workflows/_security-checks.yaml
@@ -9,10 +9,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Scan repo
-        uses: aquasecurity/trivy-action@0.29.0
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -26,10 +26,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
         with:
           node-version: '22'
 
diff --git a/.github/workflows/on-pr.yaml b/.github/workflows/on-pr.yaml
index 6cec6a6..ebef0ee 100644
--- a/.github/workflows/on-pr.yaml
+++ b/.github/workflows/on-pr.yaml
@@ -14,4 +14,3 @@ jobs:
   static-checks:
     name: Static checks
     uses: ./.github/workflows/_static-checks.yaml
-    secrets: inherit

From 32a3b3ca7cf47d245faa79c4786f9943e5a3773d Mon Sep 17 00:00:00 2001
From: Dan Barr <dan@stacklok.com>
Date: Thu, 9 Jan 2025 19:57:36 -0500
Subject: [PATCH 2/2] Add permissions to reusable workflows

---
 .github/workflows/_security-checks.yaml | 3 +++
 .github/workflows/_static-checks.yaml   | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/_security-checks.yaml b/.github/workflows/_security-checks.yaml
index b6d9756..269cfb0 100644
--- a/.github/workflows/_security-checks.yaml
+++ b/.github/workflows/_security-checks.yaml
@@ -3,6 +3,9 @@ name: Security checks
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   trivy:
     name: Trivy scan
diff --git a/.github/workflows/_static-checks.yaml b/.github/workflows/_static-checks.yaml
index 8e8b6b1..4868e9f 100644
--- a/.github/workflows/_static-checks.yaml
+++ b/.github/workflows/_static-checks.yaml
@@ -3,6 +3,9 @@ name: Static checks
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint and format checks