Token-Permissions & Pinned-Dependencies (#2586)

# Description Please provide a summary of the changes, including relevant motivation and context. Closes #(issue_number) ## Checklist - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have performed a self-review of my own code - [ ] I have attached images of the change if it is UI based - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] If my code has heavily changed functionality I have updated relevant docs on [Stirling-PDFs doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) - [ ] My changes generate no new warnings - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only)
2025-03-11 00:19:03 +01:00 · 2025-01-02 19:22:14 +01:00 · 2025-01-02 19:22:14 +01:00 · 875f5a85ef
commit 875f5a85ef
parent ef174a1e8a
14 changed files with 35 additions and 17 deletions
--- a/.github/workflows/PR-Demo-Comment.yml
+++ b/.github/workflows/PR-Demo-Comment.yml
@ -4,9 +4,15 @@ on:
  issue_comment:
    types: [created]

+permissions:
+  contents: read
+
 jobs:
  check-comment:
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+      issues: read
    if: |
      github.event.issue.pull_request &&
      (
--- a/.github/workflows/PR-Demo-cleanup.yml
+++ b/.github/workflows/PR-Demo-cleanup.yml
@ -4,7 +4,8 @@ on:
  pull_request:
    types: [opened, synchronize, reopened, closed]

-permissions: read-all
+permissions:
+  contents: read

 env:
  SERVER_IP: ${{ secrets.VPS_IP }}  # Add this to your GitHub secrets
--- a/.github/workflows/auto-labeler.yml
+++ b/.github/workflows/auto-labeler.yml
@ -3,7 +3,8 @@ on:
  pull_request_target:
    types: [opened, synchronize]

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  labeler:
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -6,13 +6,15 @@ on:
  pull_request:
    branches: ["main"]

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  build:
    runs-on: ubuntu-latest

    permissions:
+      actions: read
      security-events: write

    strategy:
@ -44,7 +46,7 @@ jobs:
        run: ./gradlew clean build
        env:
          DOCKER_ENABLE_SECURITY: true
-          
+
  docker-compose-tests:
    # if: github.event_name == 'push' && github.ref == 'refs/heads/main' ||
    #     (github.event_name == 'pull_request' &&
--- a/.github/workflows/licenses-update.yml
+++ b/.github/workflows/licenses-update.yml
@ -7,7 +7,8 @@ on:
    paths:
      - "build.gradle"

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  generate-license-report:
--- a/.github/workflows/manage-label.yml
+++ b/.github/workflows/manage-label.yml
@ -4,7 +4,8 @@ on:
  schedule:
    - cron: "30 20 * * *"

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  labeler:
--- a/.github/workflows/multiOSReleases.yml
+++ b/.github/workflows/multiOSReleases.yml
@ -5,7 +5,8 @@ on:
  release:
    types: [created]

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  build-installers:
--- a/.github/workflows/pre_commit.yml
+++ b/.github/workflows/pre_commit.yml
@ -4,7 +4,8 @@ on:
  push:
    branches: [main]

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  update:
@ -19,7 +20,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
        with:
          python-version: 3.12
      - name: Run Pre-Commit Hooks
--- a/.github/workflows/push-docker.yml
+++ b/.github/workflows/push-docker.yml
@ -9,14 +9,13 @@ on:

 permissions:
  contents: read
-  packages: write
-  id-token: write

 jobs:
  push:
    runs-on: ubuntu-latest
    permissions:
      packages: write
+      id-token: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
@ -42,7 +41,7 @@ jobs:

      - name: Install cosign
        if: github.ref == 'refs/heads/master'
-        uses: sigstore/cosign-installer@v3.7.0
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
        with:
          cosign-release: 'v2.4.1'

--- a/.github/workflows/releaseArtifacts.yml
+++ b/.github/workflows/releaseArtifacts.yml
@ -5,7 +5,8 @@ on:
  release:
    types: [created]

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  push:
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -5,7 +5,8 @@ on:
    - cron: "30 0 * * *"
  workflow_dispatch:

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  stale:
--- a/.github/workflows/swagger.yml
+++ b/.github/workflows/swagger.yml
@ -6,7 +6,8 @@ on:
    branches:
      - master

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  push:
--- a/.github/workflows/sync_files.yml
+++ b/.github/workflows/sync_files.yml
@ -9,7 +9,8 @@ on:
      - "src/main/resources/messages_*.properties"
      - "scripts/ignore_translation.toml"

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  sync-readme:
--- a/.github/workflows/update-translations.yml
+++ b/.github/workflows/update-translations.yml
@ -6,7 +6,8 @@ on:
    paths:
      - "src/main/resources/messages_en_GB.properties"

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  update-translations-main: