Update github workflow permissions (#193)

Resolves 5 code scanning alerts in github Signed-off-by: Dave Thaler <dthaler1968@gmail.com>
orcasound · Sep 19, 2024 · 8968412 · 8968412
1 parent f4ce489
commit 8968412
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 25 deletions.
diff --git a/.github/workflows/AIForOrcas.Client.Web.yaml b/.github/workflows/AIForOrcas.Client.Web.yaml
@@ -30,6 +30,9 @@ defaults:
  run:
  working-directory: ModeratorFrontEnd/AIForOrcas/AIForOrcas.Client.Web
 
+permissions: # added using https://github.com/step-security/secure-repo
+ contents: read
+
 jobs:
  build:
  runs-on: ubuntu-latest
@@ -40,9 +43,9 @@ jobs:
  with:
  egress-policy: audit
  - name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
  - name: Setup .NET Core
- uses: actions/setup-dotnet@v1
+ uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1
  with:
  dotnet-version: ${{ env.DOTNET_VERSION }}
  - name: Dependencies
@@ -54,7 +57,7 @@ jobs:
  - name: Publish
  run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}'
  - name: Artifacts cache
- uses: actions/cache@v2
+ uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
  with:
  path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }}
  key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
@@ -70,12 +73,12 @@ jobs:
  with:
  egress-policy: audit
  - name: Artifacts cache
- uses: actions/cache@v2
+ uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
  with:
  path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }}
  key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
  - name: Deploy to azure
- uses: azure/webapps-deploy@v2
+ uses: azure/webapps-deploy@4bfb30bef2c330e36be280cb1e5726d0fac06233 # v2.2.13
  with:
  app-name: ${{ env.AZURE_APP_NAME }}
  publish-profile: ${{ secrets.AZURE_AISFORORCAS_PUBLISH_PROFILE }}

diff --git a/.github/workflows/AIForOrcas.Server.yaml b/.github/workflows/AIForOrcas.Server.yaml
@@ -28,6 +28,9 @@ defaults:
  run:
  working-directory: ModeratorFrontEnd/AIForOrcas/AIForOrcas.Server
 
+permissions: # added using https://github.com/step-security/secure-repo
+ contents: read
+
 jobs:
  build:
  runs-on: ubuntu-latest
@@ -38,9 +41,9 @@ jobs:
  with:
  egress-policy: audit
  - name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
  - name: Setup .NET Core
- uses: actions/setup-dotnet@v1
+ uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1
  with:
  dotnet-version: ${{ env.DOTNET_VERSION }}
  - name: Dependencies
@@ -52,7 +55,7 @@ jobs:
  - name: Publish
  run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}'
  - name: Artifacts cache
- uses: actions/cache@v2
+ uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
  with:
  path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }}
  key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
@@ -68,12 +71,12 @@ jobs:
  with:
  egress-policy: audit
  - name: Artifacts cache
- uses: actions/cache@v2
+ uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
  with:
  path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }}
  key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
  - name: Deploy to azure
- uses: azure/webapps-deploy@v2
+ uses: azure/webapps-deploy@4bfb30bef2c330e36be280cb1e5726d0fac06233 # v2.2.13
  with:
  app-name: ${{ env.AZURE_APP_NAME }}
  publish-profile: ${{ secrets.AZURE_AISFORORCASDETECTIONS_PUBLISH_PROFILE }}

diff --git a/.github/workflows/NotificationSystem.yaml b/.github/workflows/NotificationSystem.yaml
@@ -24,6 +24,9 @@ defaults:
  run:
  working-directory: NotificationSystem
 
+permissions: # added using https://github.com/step-security/secure-repo
+ contents: read
+
 jobs:
  build:
  runs-on: ubuntu-latest
@@ -34,9 +37,9 @@ jobs:
  with:
  egress-policy: audit
  - name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
  - name: Setup .NET Core
- uses: actions/setup-dotnet@v1
+ uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1
  with:
  dotnet-version: ${{ env.DOTNET_VERSION }}
  - name: Dependencies
@@ -48,7 +51,7 @@ jobs:
  - name: Publish
  run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}'
  - name: Artifacts cache
- uses: actions/cache@v2
+ uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
  with:
  path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }}
  key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
@@ -64,12 +67,12 @@ jobs:
  with:
  egress-policy: audit
  - name: Artifacts cache
- uses: actions/cache@v2
+ uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
  with:
  path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }}
  key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
  - name: Deploy to Azure Functions
- uses: azure/functions-action@v1
+ uses: azure/functions-action@fd80521afbba9a2a76a99ba1acc07aff8d733d11 # v1.5.2
  with:
  app-name: ${{ env.AZURE_APP_NAME }}
  publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }}

diff --git a/.github/workflows/OrcaHello.Web.Api.yaml b/.github/workflows/OrcaHello.Web.Api.yaml
@@ -26,6 +26,9 @@ defaults:
  run:
  working-directory: ModeratorFrontEnd/OrcaHello/OrcaHello.Web.Api
 
+permissions: # added using https://github.com/step-security/secure-repo
+ contents: read
+
 jobs:
  build:
  runs-on: ubuntu-latest
@@ -36,9 +39,9 @@ jobs:
  with:
  egress-policy: audit
  - name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
  - name: Set up .NET Core
- uses: actions/setup-dotnet@v1
+ uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1
  with:
  dotnet-version: ${{ env.DOTNET_VERSION }}
  - name: Dependencies
@@ -50,7 +53,7 @@ jobs:
  - name: Publish
  run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}'
  - name: Artifacts cache
- uses: actions/cache@v2
+ uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
  with:
  path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }}
  key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
@@ -66,12 +69,12 @@ jobs:
  with:
  egress-policy: audit
  - name: Artifacts cache
- uses: actions/cache@v2
+ uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
  with:
  path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }}
  key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
  - name: Deploy to azure
- uses: azure/webapps-deploy@v2
+ uses: azure/webapps-deploy@4bfb30bef2c330e36be280cb1e5726d0fac06233 # v2.2.13
  with:
  app-name: ${{ env.AZURE_APP_NAME }}
  publish-profile: ${{ secrets.AZURE_ORCAHELLODETECTIONS_PUBLISH_PROFILE }}

diff --git a/.github/workflows/OrcaHello.Web.UI.yaml b/.github/workflows/OrcaHello.Web.UI.yaml
@@ -26,6 +26,9 @@ defaults:
  run:
  working-directory: ModeratorFrontEnd/OrcaHello/OrcaHello.Web.UI
 
+permissions: # added using https://github.com/step-security/secure-repo
+ contents: read
+
 jobs:
  build:
  runs-on: ubuntu-latest
@@ -36,9 +39,9 @@ jobs:
  with:
  egress-policy: audit
  - name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
  - name: Set up .NET Core
- uses: actions/setup-dotnet@v1
+ uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1
  with:
  dotnet-version: ${{ env.DOTNET_VERSION }}
  - name: Dependencies
@@ -50,7 +53,7 @@ jobs:
  - name: Publish
  run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}'
  - name: Artifacts cache
- uses: actions/cache@v2
+ uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
  with:
  path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }}
  key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
@@ -66,12 +69,12 @@ jobs:
  with:
  egress-policy: audit
  - name: Artifacts cache
- uses: actions/cache@v2
+ uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
  with:
  path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }}
  key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
  - name: Deploy to azure
- uses: azure/webapps-deploy@v2
+ uses: azure/webapps-deploy@4bfb30bef2c330e36be280cb1e5726d0fac06233 # v2.2.13
  with:
  app-name: ${{ env.AZURE_APP_NAME }}
  publish-profile: ${{ secrets.AZURE_ORCAHELLO_PUBLISH_PROFILE }}