From e59b76097b6f45878aa1f6bcca757ef793504135 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas.gerbet@enalean.com>
Date: Tue, 31 Dec 2024 11:47:16 +0100
Subject: [PATCH] chore: Harden GHA workflows

---
 .github/workflows/CI-Experimental.yml |  8 +++--
 .github/workflows/CI.yml              | 44 ++++++++++++++++++---------
 2 files changed, 35 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/CI-Experimental.yml b/.github/workflows/CI-Experimental.yml
index 63c01a4..58c682c 100644
--- a/.github/workflows/CI-Experimental.yml
+++ b/.github/workflows/CI-Experimental.yml
@@ -1,6 +1,6 @@
 name: CI Experimental
 
-permissions: read-all
+permissions: {}
 
 on:
   push:
@@ -19,8 +19,10 @@ jobs:
           - 6379/tcp
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-      - uses: shivammathur/setup-php@2.32.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
         with:
           php-version: '8.5'
           extensions: mbstring, redis, apcu
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index c4b3e80..48e569d 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -1,6 +1,6 @@
 name: CI
 
-permissions: read-all
+permissions: {}
 
 on:
   push:
@@ -12,6 +12,8 @@ jobs:
   tests:
     name: Tests on PHP ${{ matrix.php }} ${{ matrix.dependencies }}
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     services:
       redis:
         image: redis
@@ -23,8 +25,10 @@ jobs:
         dependencies: ['--ignore-platform-req=php', '--prefer-lowest --prefer-stable --ignore-platform-req=php']
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-      - uses: shivammathur/setup-php@2.32.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
         with:
           php-version: ${{ matrix.php }}
           extensions: mbstring, redis, apcu
@@ -41,9 +45,9 @@ jobs:
         env:
           REDIS_PORT: ${{ job.services.redis.ports['6379'] }}
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v5.1.2
+        uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
         with:
-          file: ./coverage.xml
+          files: ./coverage.xml
   mutation_testing:
     name: Mutation testing
     runs-on: ubuntu-24.04
@@ -54,8 +58,10 @@ jobs:
           - 6379/tcp
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-      - uses: shivammathur/setup-php@2.32.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
         with:
           php-version: '8.2'
           extensions: mbstring, redis, apcu
@@ -69,7 +75,7 @@ jobs:
           REDIS_PORT: ${{ job.services.redis.ports['6379'] }}
       - name: Archive report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: Infection report
           path: infection.log
@@ -81,7 +87,9 @@ jobs:
         php: ['8.2', '8.3', '8.4']
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: composer install --no-interaction --prefer-dist
       - name: Start stack
@@ -104,8 +112,10 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-      - uses: shivammathur/setup-php@2.32.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
         with:
           php-version: '8.2'
           extensions: mbstring, redis, apcu
@@ -123,7 +133,9 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: composer install --no-interaction --prefer-dist
       - name: Composer Require Checker
@@ -137,7 +149,9 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
       # Disable (temporarily) CI check with Roave BC check
       # See https://github.com/Nyholm/roave-bc-check-docker/issues/32
@@ -150,7 +164,9 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install nix
         uses: cachix/install-nix-action@v30
         with: