Pinned GitHub workflows by SHA (#8334)

- Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies - Included permissions for some of the actions. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions Dependabot can upgrade pinned version of actions.
2022-03-14 10:29:58 -05:00 · 2022-03-14 10:29:58 -05:00 · 974d038c2a
commit 974d038c2a
parent e1eff78160
3 changed files with 50 additions and 32 deletions
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@ -8,6 +8,9 @@ on:
 jobs:

  changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
    runs-on: ubuntu-latest
    if: |
      (github.repository == 'kubernetes/ingress-nginx')
@ -18,15 +21,15 @@ jobs:
    steps:

      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2

-      - uses: dorny/paths-filter@v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
        id: filter
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          filters: |
            docs:
-              - 'docs/**/*'
+             - 'docs/**/*'

  docs:
    name: Update
@ -43,9 +46,9 @@ jobs:
    steps:

      - name: Checkout master
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2

      - name: Deploy
        uses: ./.github/actions/mkdocs
        env:
-          PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}"