From 7dd08736bbed2032af928bc561c95de05a0e26b6 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@astral.sh>
Date: Fri, 24 Oct 2025 10:11:10 -0400
Subject: [PATCH] ci: ratchet down permissions, pin all actions

Signed-off-by: William Woodruff <william@astral.sh>
---
 .github/dependabot.yml            |  2 ++
 .github/workflows/assign-ids.yml  | 12 +++++++++---
 .github/workflows/export-osv.yml  |  9 +++++++--
 .github/workflows/publish-web.yml |  9 +++++++--
 .github/workflows/sync-ids.yml    | 12 +++++++++---
 .github/workflows/validate.yml    |  8 ++++++--
 6 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 1705d1bd7..2ec79429d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,3 +5,5 @@ updates:
     schedule:
       interval: "weekly"
     open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
\ No newline at end of file
diff --git a/.github/workflows/assign-ids.yml b/.github/workflows/assign-ids.yml
index faef0c4c5..d30d8c5d0 100644
--- a/.github/workflows/assign-ids.yml
+++ b/.github/workflows/assign-ids.yml
@@ -4,16 +4,22 @@ on:
   push:
     branches: main
 
+permissions: {}
+
 jobs:
   assign-ids:
     name: Assign IDs
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # needed to create pull requests
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Cache cargo bin
         id: admin-cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/.cargo/bin
           key: rustsec-admin-c7f56c474e01619b78b9c39bdb626d982f3bee90
@@ -35,7 +41,7 @@ jobs:
           ls -R ./crates/ ./rust/ | sha256sum >> .duplicate-id-guard
 
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: ${{ steps.assign.outputs.commit_message }}
diff --git a/.github/workflows/export-osv.yml b/.github/workflows/export-osv.yml
index 8315734e9..d38f44215 100644
--- a/.github/workflows/export-osv.yml
+++ b/.github/workflows/export-osv.yml
@@ -4,15 +4,20 @@ on:
   push:
     branches: main
 
+permissions: {}
+
 jobs:
   publish-web:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed for pushing back to the repo
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: osv
+          persist-credentials: true # persists the token for git push below
 
-      - uses: actions/cache@v4
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         id: admin-cache
         with:
           path: ~/.cargo/bin
diff --git a/.github/workflows/publish-web.yml b/.github/workflows/publish-web.yml
index 2c30608ef..cf3051c16 100644
--- a/.github/workflows/publish-web.yml
+++ b/.github/workflows/publish-web.yml
@@ -4,15 +4,20 @@ on:
   push:
     branches: main
 
+permissions: {}
+
 jobs:
   publish-web:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed for pushing back to the repo
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: gh-pages
+          persist-credentials: true # persists the token for git push below
 
-      - uses: actions/cache@v4
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         id: admin-cache
         with:
           path: ~/.cargo/bin
diff --git a/.github/workflows/sync-ids.yml b/.github/workflows/sync-ids.yml
index 2aabe2915..bf4552cc6 100644
--- a/.github/workflows/sync-ids.yml
+++ b/.github/workflows/sync-ids.yml
@@ -6,16 +6,22 @@ on:
     # daily run on default "main" branch
     - cron: "30 1 * * *"
 
+permissions: {}
+
 jobs:
   sync-ids:
     name: Synchronize IDs
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # needed to create pull requests
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Cache cargo bin
         id: admin-cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/.cargo/bin
           key: rustsec-admin-c7f56c474e01619b78b9c39bdb626d982f3bee90
@@ -35,7 +41,7 @@ jobs:
           echo "commit_message=${message}" >> $GITHUB_OUTPUT
 
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: ${{ steps.sync_ids.outputs.commit_message }}
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 93be3048c..2578990d6 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -5,16 +5,20 @@ on:
   push:
     branches: main
 
+permissions: {}
+
 jobs:
   lint:
     name: Lint advisories
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Cache cargo bin
         id: admin-cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/.cargo/bin
           key: rustsec-admin-c7f56c474e01619b78b9c39bdb626d982f3bee90