From 4db45df86c5a8d7b8cdf8b37ea2d946da9ce8aa7 Mon Sep 17 00:00:00 2001
From: Yoann Chaudet <c.yoann@gmail.com>
Date: Wed, 27 Nov 2024 14:37:25 -0800
Subject: [PATCH] Fix security issues in various workflows

---
 .github/workflows/publish-docker.yml | 14 +++++++++-----
 .github/workflows/publish-gem.yml    |  7 +++++--
 .github/workflows/push.yml           |  2 ++
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
index 028879a8..5922a803 100644
--- a/.github/workflows/publish-docker.yml
+++ b/.github/workflows/publish-docker.yml
@@ -5,10 +5,14 @@ on:
     tags: [ 'v*' ]
   pull_request:
     branches: [ master ]
- 
+
 env:
   REGISTRY: ghcr.io
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -18,10 +22,10 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -29,12 +33,12 @@ jobs:
 
       - name: Get Docker Metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}
 
       - name: Build Docker Image and Push to Container Registry
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
diff --git a/.github/workflows/publish-gem.yml b/.github/workflows/publish-gem.yml
index 1f9a37a0..4ce9da76 100644
--- a/.github/workflows/publish-gem.yml
+++ b/.github/workflows/publish-gem.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [released]
 
+permissions:
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -11,7 +14,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc
         with:
           ruby-version: "3.3"
       - name: Build gem
@@ -19,6 +22,6 @@ jobs:
           gem build github-pages.gemspec
       - name: Publish gem
         env:
-          GEM_HOST_API_KEY: ${{ secrets.PAGES_GEM_PUBLISH }}  
+          GEM_HOST_API_KEY: ${{ secrets.PAGES_GEM_PUBLISH }}
         run: |
           gem push github-pages-*.gem
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 84143356..615946fa 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -1,5 +1,7 @@
 on: push
 name: cibuild on push
+permissions:
+  contents: read
 jobs:
   build:
     name: "GitHub Pages Tests"