Save work on locking down our actions

2025-05-24 02:02:23 -04:00 · 2025-04-23 13:38:03 -07:00 · 2025-04-23 13:38:03 -07:00 · 41ab921621
commit 41ab921621
parent e277a8e1ea
6 changed files with 35 additions and 8 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -46,7 +46,7 @@ jobs:
        with:
          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
      - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v5.4.2
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
          enable-cache: true
@ -100,7 +100,7 @@ jobs:
        with:
          python-version: "${{ matrix.python-version }}"
      - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v5.4.2
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
          enable-cache: true
@ -392,7 +392,7 @@ jobs:
        with:
          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
      - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v5.4.2
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
          enable-cache: true
@ -540,7 +540,7 @@ jobs:
        with:
          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
      - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v5.4.2
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
          enable-cache: true
--- a/.github/workflows/crowdin.yml
+++ b/.github/workflows/crowdin.yml
@ -6,6 +6,9 @@ on:
  push:
    paths: ['src/locale/**', 'src-ui/messages.xlf', 'src-ui/src/locale/**']
    branches: [dev]
+permissions:
+  contents: write
+  pull-requests: write
 jobs:
  synchronize-with-crowdin:
    name: Crowdin Sync
@ -14,8 +17,10 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
      - name: crowdin action
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@v2.7.0
        with:
          upload_translations: false
          download_translations: true
--- a/.github/workflows/repo-maintenance.yml
+++ b/.github/workflows/repo-maintenance.yml
@ -12,6 +12,9 @@ concurrency:
 jobs:
  stale:
    name: 'Stale'
+    permissions:
+      issues: write
+      pull-requests: write
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
    steps:
@ -27,6 +30,10 @@ jobs:

  lock-threads:
    name: 'Lock Old Threads'
+    permissions:
+      issues: write
+      pull-requests: write
+      discussions: write
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
    steps:
@ -47,6 +54,8 @@ jobs:

  close-answered-discussions:
    name: 'Close Answered Discussions'
+    permissions:
+      discussions: write
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
    steps:
--- a/.github/workflows/translate-strings.yml
+++ b/.github/workflows/translate-strings.yml
@ -15,6 +15,7 @@ jobs:
        with:
          token: ${{ secrets.PNGX_BOT_PAT }}
          ref: ${{ github.head_ref }}
+          persist-credentials: true
      - name: Set up Python
        id: setup-python
        uses: actions/setup-python@v5
@ -23,7 +24,7 @@ jobs:
          sudo apt-get update -qq
          sudo apt-get install -qq --no-install-recommends gettext
      - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v5.4.2
        with:
          enable-cache: true
      - name: Install backend python dependencies
@ -34,7 +35,7 @@ jobs:
      - name: Generate backend translation strings
        run: cd src/ && uv run manage.py makemessages -l en_US -i "samples*"
      - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v4.1.0
        with:
          version: 10
      - name: Use Node.js 20
@ -61,7 +62,7 @@ jobs:
          cd src-ui
          pnpm run ng extract-i18n
      - name: Commit changes
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403  # v5.2.0
        with:
          file_pattern: 'src-ui/messages.xlf src/locale/en_US/LC_MESSAGES/django.po'
          commit_message: "Auto translate strings"
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@ -0,0 +1,8 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: ref-pin
+        crowdin/github-action: ref-pin
+        astral-sh/setup-uv: ref-pin
+        pnpm/action-setup: ref-pin
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -48,6 +48,10 @@ repos:
        additional_dependencies:
          - prettier@3.3.3
          - 'prettier-plugin-organize-imports@4.1.0'
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.6.0
+    hooks:
+    - id: zizmor
  # Python hooks
  - repo: https://github.com/astral-sh/ruff-pre-commit
    rev: v0.9.9