fix: improve the safety of github action

.github/dependabot.yml

@@ -1,10 +1,10 @@
 version: 2
 updates:
-- package-ecosystem: docker
+- package-ecosystem: github-actions
   directory: /
   schedule:
-    interval: daily
-- package-ecosystem: github-actions
+    interval: weekly
+- package-ecosystem: docker
   directory: /
   schedule:
     interval: daily

.github/workflows/build.yaml

@@ -1,68 +1,71 @@
 name: Build
-on: pull_request
+permissions: read-all
+on:
+  pull_request:
+    branches:
+    - main
 jobs:
-  build:
+  build-binaries:
+    permissions:
+      contents: read
+      actions: write
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         ref: ${{ github.event.pull_request.head.sha }}
-    - name: Install Go
-      uses: actions/setup-go@v5
+    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
       with:
         go-version: stable
-    - name: Set up environment
-      run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV"
-    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v5
+    - run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV"
+    - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
       with:
         version: latest
         args: build --snapshot --clean
-    - name: Tar up binaries
+    - name: Upload binary artifacts
       # work around limitations in the upload/download artifact actions
       # https://github.com/actions/download-artifact#limitations
       run: tar -cvf dist.tar dist
     - name: Upload binaries tar file
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: dist.tar
         path: dist.tar
-  buildimage:
+  build-images:
     permissions:
+      contents: read
+      actions: read
       packages: write
       id-token: write
     if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     strategy:
       matrix:
         binary:
         - go-cli-github
-    needs: build
+    needs: build-binaries
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - name: Download binaries tar file
-      uses: actions/download-artifact@v3
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - name: Download binary artifacts
+      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
       with:
         name: dist.tar
     - name: Untar binaries
       run: tar -xvf dist.tar
     - name: Login to GHCR
-      uses: docker/#-action@v3
+      uses: docker/#-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Docker metadata
-      # this id is namespaced per matrix run
+    - name: Get Docker metadata
       id: docker_metadata
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@31cebacef4805868f9ce9a0cb03ee36c32df2ac4 # v5.3.0
       with:
         images: ghcr.io/${{ github.repository }}/${{ matrix.binary }}
     - name: Build and push ${{ matrix.binary }} container image
       id: docker_build
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
       with:
         push: true
         tags: ${{ steps.docker_metadata.outputs.tags }}

.github/workflows/codeql-analysis.yaml

@@ -1,32 +1,28 @@
-name: "CodeQL"
-
+name: CodeQL
 on:
   push:
     branches:
     - main
   pull_request:
     branches:
     - main
-
+permissions:
+  actions: read
+  contents: read
+  security-events: write
 jobs:
   analyze:
-    name: Analyze
     runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
     strategy:
       fail-fast: false
       matrix:
         language:
         - go
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9
       with:
         languages: ${{ matrix.language }}
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9

.github/workflows/coverage.yaml

@@ -3,28 +3,27 @@ on:
   push:
     branches:
     - main
-
+permissions:
+  contents: read
 jobs:
   coverage:
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Configure git
       run: |
         git config --global user.name "$GITHUB_ACTOR"
         git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
-    - name: Set up go
-      uses: actions/setup-go@v5
+    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
       with:
         go-version: stable
     - name: Calculate coverage
       run: |
         go test -v -covermode=count -coverprofile=coverage.out.raw -coverpkg=./... ./...
         grep -v mock_ coverage.out.raw > coverage.out
     - name: Convert coverage to lcov
-      uses: jandelgado/gcov2lcov-action@v1
-    - name: Coveralls
-      uses: coverallsapp/github-action@v2.2.3
+      uses: jandelgado/gcov2lcov-action@c680c0f7c7442485f1749eb2a13e54a686e76eb5 # v1.0.9
+    - name: Upload coverage to Coveralls
+      uses: coverallsapp/github-action@3dfc5567390f6fa9267c0ee9c251e4c8c3f18949 # v2.2.3
       with:
         github-token: ${{ secrets.github_token }}

.github/workflows/dependabot-automerge.yaml

@@ -1,24 +1,26 @@
 # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request
 name: Dependabot auto-merge
-on: pull_request
-
+on:
+  pull_request:
+    branches:
+    - main
 permissions:
   contents: write
   pull-requests: write
-
 jobs:
-  dependabot:
+  dependabot-automerge:
     runs-on: ubuntu-latest
     if: github.actor == 'dependabot[bot]'
     steps:
-      - name: Dependabot metadata
-        id: metadata
-        uses: dependabot/fetch-metadata@v1
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-      - name: Enable auto-merge for Dependabot PRs
-        if: ! contains(steps.metadata.outputs.package-ecosystem, 'github-actions')
-        run: gh pr merge --auto --merge "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+    - name: Fetch dependabot metadata
+      id: metadata
+      uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0
+      with:
+        github-token: "${{ secrets.GITHUB_TOKEN }}"
+    - name: Auto-merge Dependabot PRs
+      # don't auto-merge action updates to appease OpenSSF scorecard
+      if: ! contains(steps.metadata.outputs.package-ecosystem, 'github-actions')
+      run: gh pr merge --auto --merge "$PR_URL"
+      env:
+        PR_URL: ${{github.event.pull_request.html_url}}
+        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/dependency-review.yaml

@@ -1,15 +1,15 @@
-name: 'Dependency Review'
+name: Dependency Review
 on:
-- pull_request
+  pull_request:
+    branches:
+    - main
 permissions:
   contents: read
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-    - name: 'Checkout Repository'
-      uses: actions/checkout@v4
-    - name: Dependency Review
-      uses: actions/dependency-review-action@v3
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4 # v3.1.4
       with:
-        config-file: '.github/dependency-review-config.yml'
+        config-file: .github/dependency-review-config.yml

.github/workflows/lint.yaml

@@ -1,26 +1,32 @@
 name: Lint
-on: pull_request
+on:
+  pull_request:
+    branches:
+    - main
+permissions:
+  contents: read
 jobs:
-  golangci-lint:
-    name: lint
+  lint-go:
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - name: Install Go
-      uses: actions/setup-go@v5
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
       with:
         go-version: stable
-    - name: golangci-lint
-      uses: golangci/golangci-lint-action@v3
+    - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
       with:
         args: --timeout=180s
-  commitlint:
+  lint-commits:
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         fetch-depth: 0
-    - name: Lint commit messages
-      uses: wagoid/commitlint-github-action@v5
+    - uses: wagoid/commitlint-github-action@0d749a1a91d4770e983a7b8f83d4a3f0e7e0874e # v5.4.4
+  lint-actions:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: docker://rhysd/actionlint:latest@sha256:2eb91a78b5a19140be099c7b4262d298c2567f2a9f27e10ed2a4323c5bcface8
+      with:
+        args: -color