Enhance Workflows Security (#5880)

UlisesGascon · NathanWalker · web-flow · commit 96ecae76bd63 · 2025-09-10T13:57:34.000-07:00
* chore: remove CodeQL workflow in favor of the advance one References: - https://github.com/NativeScript/nativescript-cli/actions/workflows/codeql-advanced.yml - https://github.com/NativeScript/nativescript-cli/actions/workflows/codeql.yml * feat: define workflow permissions * feat: pin dependencies in workflows --------- Co-authored-by: Nathan Walker <walkerrunpdx@gmail.com>
diff --git a/.github/workflows/codeql-advanced.yml b/.github/workflows/codeql-advanced.yml
@@ -19,6 +19,9 @@ on:
   schedule:
     - cron: '21 2 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
@@ -57,7 +60,7 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
     # Add any setup steps before running the `github/codeql-action/init` action.
     # This includes steps like installing compilers or runtimes (`actions/setup-node`
@@ -67,7 +70,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -95,6 +98,6 @@ jobs:
         exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
diff --git a/.github/workflows/npm_release_cli.yml b/.github/workflows/npm_release_cli.yml
@@ -24,9 +24,9 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
         with:
           node-version: 22.14.0
 
diff --git a/.github/workflows/npm_release_doctor.yml b/.github/workflows/npm_release_doctor.yml
@@ -28,7 +28,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       - name: Setup
         run: npm install
