Improve security of GitHub Actions workflows

.github/workflows/ci.yml

@@ -17,36 +17,40 @@ jobs:
       matrix:
         platform: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.platform }}
+    permissions:
+      contents: read
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7
         with:
           node-version: '16'
       - name: Install Graphviz
-        uses: tlylt/install-graphviz@v1
+        uses: tlylt/install-graphviz@b2201200d85f06f0189cb74d9b69208504cf12cd
       - name: Install Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0
         with:
           java-version: '11'
           distribution: 'temurin'
       - run: npm run setup
       - run: npm run test
       - name: Upload coverage report to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   check-docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7
         with:
           node-version: '16'
       - name: Install Graphviz
-        uses: tlylt/install-graphviz@v1
+        uses: tlylt/install-graphviz@b2201200d85f06f0189cb74d9b69208504cf12cd
       - name: Install Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0
         with:
           java-version: '11'
           distribution: 'temurin'
@@ -69,18 +73,17 @@ jobs:
     # disabled on forks
     if: github.event_name == 'push' && github.repository == 'MarkBind/markbind'
     runs-on: ubuntu-latest
-    env:
-      GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7
         with:
           node-version: '16'
       - name: Install Graphviz
-        uses: tlylt/install-graphviz@v1
+        uses: tlylt/install-graphviz@b2201200d85f06f0189cb74d9b69208504cf12cd
       - name: Install Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0
         with:
           java-version: '11'
           distribution: 'temurin'

.github/workflows/pr-merge.yml

@@ -12,8 +12,15 @@ jobs:
     check-pr-label:
         if: ${{ github.event.pull_request.merged }}
         runs-on: ubuntu-latest
+        permissions:
+          contents: read
+        outputs:
+          num_labels_chosen: ${{ steps.check_pr_description_label.outputs.num_labels_chosen }}
+          message: ${{ steps.check_pr_description_label.outputs.message }}
+          chosen_label: ${{ steps.check_pr_description_label.outputs.chosen_label }}
         steps:
-          - uses: actions/checkout@v3
+          - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+
           - name: Check for PR description label
             id: check_pr_description_label
             run: |
@@ -24,13 +31,13 @@ jobs:
               is_minor=$(echo "$proposed_version_impact" | grep -qi '\[X\] Minor'; echo $((1-$?)))
               is_patch=$(echo "$proposed_version_impact" | grep -qi '\[X\] Patch'; echo $((1-$?)))
               num_labels_chosen=$(($is_major + $is_minor + $is_patch))
-              echo "num_labels_chosen=$num_labels_chosen" >> $GITHUB_OUTPUT
+              echo "num_labels_chosen=$num_labels_chosen" >> "$GITHUB_OUTPUT"
               if [[ "$num_labels_chosen" -eq 0 ]]; then
-                echo "message=$(echo "@${MERGE_AUTHOR} Each PR must have a SEMVER impact label, please remember to label the PR properly.")" >> $GITHUB_OUTPUT
+                echo "message=$(echo "@${MERGE_AUTHOR} Each PR must have a SEMVER impact label, please remember to label the PR properly.")" >> "$GITHUB_OUTPUT"
               elif [[ "$num_labels_chosen" -ge 2 ]]; then
-                echo "message=$(echo "@${MERGE_AUTHOR} Each PR can only have one SEMVER impact label, please remember to label the PR properly.")" >> $GITHUB_OUTPUT
+                echo "message=$(echo "@${MERGE_AUTHOR} Each PR can only have one SEMVER impact label, please remember to label the PR properly.")" >> "$GITHUB_OUTPUT"
               else
-                echo "message=$(echo "SEMVER impact selected.")" >> $GITHUB_OUTPUT
+                echo "message=$(echo "SEMVER impact selected.")" >> "$GITHUB_OUTPUT"
                 echo "chosen_label=$(
                     if [ "$is_major" -eq 1 ]; then
                         echo "r.Major"
@@ -39,31 +46,39 @@ jobs:
                     elif [ "$is_patch" -eq 1 ]; then
                         echo "r.Patch"
                     fi
-                 )" >> $GITHUB_OUTPUT
+                 )" >> "$GITHUB_OUTPUT"
               fi
             env:
               TEXT_BODY: ${{ github.event.pull_request.body }}
               MERGE_AUTHOR: ${{ github.event.sender.login }}
-          - name: Assign label based on version impact
-            uses: actions/github-script@v7
+
+    assign-label-or-comment:
+        if: ${{ github.event.pull_request.merged }}
+        runs-on: ubuntu-latest
+        needs: check-pr-label
+        permissions:
+            pull-requests: write
+        steps:
+          - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
             with:
-                script: |
-                    if (process.env.NUM_LABELS_CHOSEN != 1) {
-                      github.rest.issues.createComment({
+              script: |
+                if (process.env.NUM_LABELS_CHOSEN != 1) {
+                    github.rest.issues.createComment({
+                    issue_number: context.payload.pull_request.number,
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    body: process.env.MESSAGE,
+                    });
+                } else {
+                    github.rest.issues.addLabels({
                         issue_number: context.payload.pull_request.number,
                         owner: context.repo.owner,
                         repo: context.repo.repo,
-                        body: process.env.MESSAGE,
-                      });
-                    } else {
-                        github.rest.issues.addLabels({
-                            issue_number: context.payload.pull_request.number,
-                            owner: context.repo.owner,
-                            repo: context.repo.repo,
-                            labels: [process.env.CHOSEN_LABEL]
-                        });
-                    }
+                        labels: [process.env.CHOSEN_LABEL]
+                    });
+                }
             env:
-                NUM_LABELS_CHOSEN: ${{ steps.check_pr_description_label.outputs.num_labels_chosen }}
-                MESSAGE: ${{ steps.check_pr_description_label.outputs.message }}
-                CHOSEN_LABEL: ${{ steps.check_pr_description_label.outputs.chosen_label }}
+              NUM_LABELS_CHOSEN: ${{ needs.check-pr-label.outputs.num_labels_chosen }}
+              MESSAGE: ${{ needs.check-pr-label.outputs.message }}
+              CHOSEN_LABEL: ${{ needs.check-pr-label.outputs.chosen_label }}
+

.github/workflows/pr-message-reminder.yml

@@ -20,9 +20,11 @@ jobs:
     remind-pr-author:
         if: github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        permissions:
+          contents: read
 
         steps:
-          - uses: actions/checkout@v3
+          - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
           - name: Extract Proposed Commit Message
             run: |
               python scripts/process_message.py "${TEXT_BODY}" > processed_body.txt