Merge pull request #477 from github/hendrikvanantwerpen/vulns

Fix actions vulnerabilities

Author: hendrikvanantwerpen

Diff for: .github/CODEOWNERS

@@ -1 +1 @@
-* @github/semantic-code
+* @github/semantic-code @github/blackbird

Diff for: .github/workflows/ci.yml

@@ -1,11 +1,15 @@
 name: Continuous integration
+
 on:
   push:
     branches: [main]
   pull_request:
   schedule:
     - cron: "0 0 1,15 * *"
 
+permissions:
+  contents: read
+
 # In the event that there is a new push to the ref, cancel any running jobs because there are now obsolete, and wasting resources.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -23,7 +27,7 @@ jobs:
 
     steps:
       - name: Install Rust environment
-        uses: hecrj/setup-rust-action@v1
+        uses: hecrj/setup-rust-action@110f36749599534ca96628b82f52ae67e5d95a3c # v2
         with:
           rust-version: ${{ matrix.rust }}
       - name: Install cargo-hack
@@ -75,7 +79,7 @@ jobs:
 
     steps:
       - name: Install Rust environment
-        uses: hecrj/setup-rust-action@v1
+        uses: hecrj/setup-rust-action@110f36749599534ca96628b82f52ae67e5d95a3c # v2
         with:
           rust-version: ${{ matrix.rust }}
       - name: Checkout code
@@ -116,7 +120,7 @@ jobs:
 
     steps:
       - name: Install Rust environment
-        uses: hecrj/setup-rust-action@v1
+        uses: hecrj/setup-rust-action@110f36749599534ca96628b82f52ae67e5d95a3c # v2
         with:
           rust-version: ${{ matrix.rust }}
       - name: Install cargo-hack
@@ -148,7 +152,7 @@ jobs:
 
     steps:
       - name: Install Rust environment
-        uses: hecrj/setup-rust-action@v1
+        uses: hecrj/setup-rust-action@110f36749599534ca96628b82f52ae67e5d95a3c # v2
         with:
           rust-version: ${{ matrix.rust }}
       - name: Cache dependencies

Diff for: .github/workflows/perf.yml

@@ -1,9 +1,14 @@
 name: Performance testing
+
 on:
   pull_request:
     paths:
       - 'stack-graphs/**'
 
+permissions:
+  contents: read
+  pull-requests: write
+
 # In the event that there is a new push to the ref, cancel any running jobs because there are now obsolete, and wasting resources.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -79,7 +84,7 @@ jobs:
       BASE_SHA: ${{ needs.changes.outputs.base-sha }}
     steps:
       - name: Install Rust environment
-        uses: hecrj/setup-rust-action@v1
+        uses: hecrj/setup-rust-action@110f36749599534ca96628b82f52ae67e5d95a3c # v2
         with:
           rust-version: stable
       - name: Cache Rust dependencies
@@ -148,7 +153,7 @@ jobs:
       HEAD_SHA: ${{ needs.changes.outputs.head-sha }}
     steps:
       - name: Install Rust environment
-        uses: hecrj/setup-rust-action@v1
+        uses: hecrj/setup-rust-action@110f36749599534ca96628b82f52ae67e5d95a3c # v2
         with:
           rust-version: stable
       - name: Cache Rust dependencies

Diff for: .github/workflows/publish-lsp-positions.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - lsp-positions-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
@@ -14,7 +17,7 @@ jobs:
       CRATE_DIR: './lsp-positions'
     steps:
       - name: Install Rust environment
-        uses: hecrj/setup-rust-action@v1
+        uses: hecrj/setup-rust-action@110f36749599534ca96628b82f52ae67e5d95a3c # v2
       - name: Checkout repository
         uses: actions/checkout@v4
       # TODO Verify the crate version matches the tag
@@ -38,7 +41,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       - name: Create GitHub release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1
         with:
           body: |
             Find more info on all releases at https://crates.io/crates/lsp-positions.

Diff for: .github/workflows/publish-stack-graphs.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - stack-graphs-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
@@ -14,7 +17,7 @@ jobs:
       CRATE_DIR: './stack-graphs'
     steps:
       - name: Install Rust environment
-        uses: hecrj/setup-rust-action@v1
+        uses: hecrj/setup-rust-action@110f36749599534ca96628b82f52ae67e5d95a3c # v2
       - name: Checkout repository
         uses: actions/checkout@v4
       # TODO Verify the crate version matches the tag
@@ -38,7 +41,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       - name: Create GitHub release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1
         with:
           body: |
             Find more info on all releases at https://crates.io/crates/stack-graphs.

Diff for: .github/workflows/publish-tree-sitter-stack-graphs-java.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - tree-sitter-stack-graphs-java-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
@@ -14,7 +17,7 @@ jobs:
       CRATE_DIR: './languages/tree-sitter-stack-graphs-java'
     steps:
       - name: Install Rust environment
-        uses: hecrj/setup-rust-action@v1
+        uses: hecrj/setup-rust-action@110f36749599534ca96628b82f52ae67e5d95a3c # v2
       - name: Checkout repository
         uses: actions/checkout@v4
       # TODO Verify the crate version matches the tag
@@ -38,7 +41,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       - name: Create GitHub release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1
         with:
           body: |
             Find more info on all releases at https://crates.io/crates/tree-sitter-stack-graphs-java.

Diff for: .github/workflows/publish-tree-sitter-stack-graphs-javascript.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - tree-sitter-stack-graphs-javascript-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
@@ -14,7 +17,7 @@ jobs:
       CRATE_DIR: './languages/tree-sitter-stack-graphs-javascript'
     steps:
       - name: Install Rust environment
-        uses: hecrj/setup-rust-action@v1
+        uses: hecrj/setup-rust-action@110f36749599534ca96628b82f52ae67e5d95a3c # v2
       - name: Checkout repository
         uses: actions/checkout@v4
       # TODO Verify the crate version matches the tag
@@ -38,7 +41,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       - name: Create GitHub release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1
         with:
           body: |
             Find more info on all releases at https://crates.io/crates/tree-sitter-stack-graphs-javascript.

Diff for: .github/workflows/publish-tree-sitter-stack-graphs-python.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - tree-sitter-stack-graphs-python-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
@@ -14,7 +17,7 @@ jobs:
       CRATE_DIR: './languages/tree-sitter-stack-graphs-python'
     steps:
       - name: Install Rust environment
-        uses: hecrj/setup-rust-action@v1
+        uses: hecrj/setup-rust-action@110f36749599534ca96628b82f52ae67e5d95a3c # v2
       - name: Checkout repository
         uses: actions/checkout@v4
       # TODO Verify the crate version matches the tag
@@ -38,7 +41,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       - name: Create GitHub release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1
         with:
           body: |
             Find more info on all releases at https://crates.io/crates/tree-sitter-stack-graphs-python.

Diff for: .github/workflows/publish-tree-sitter-stack-graphs-typescript.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - tree-sitter-stack-graphs-typescript-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
@@ -14,7 +17,7 @@ jobs:
       CRATE_DIR: './languages/tree-sitter-stack-graphs-typescript'
     steps:
       - name: Install Rust environment
-        uses: hecrj/setup-rust-action@v1
+        uses: hecrj/setup-rust-action@110f36749599534ca96628b82f52ae67e5d95a3c # v2
       - name: Checkout repository
         uses: actions/checkout@v4
       # TODO Verify the crate version matches the tag
@@ -38,7 +41,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       - name: Create GitHub release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1
         with:
           body: |
             Find more info on all releases at https://crates.io/crates/tree-sitter-stack-graphs-typescript.

Diff for: .github/workflows/publish-tree-sitter-stack-graphs.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - tree-sitter-stack-graphs-v*
 
+permissions:
+  contents: write
+
 jobs:
   publish-crate:
     runs-on: ubuntu-latest
@@ -14,7 +17,7 @@ jobs:
       CRATE_DIR: './tree-sitter-stack-graphs'
     steps:
       - name: Install Rust environment
-        uses: hecrj/setup-rust-action@v1
+        uses: hecrj/setup-rust-action@110f36749599534ca96628b82f52ae67e5d95a3c # v2
       - name: Checkout repository
         uses: actions/checkout@v4
       # TODO Verify the crate version matches the tag
@@ -38,7 +41,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       - name: Create GitHub release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1
         with:
           body: |
             Find more info on all releases at https://crates.io/crates/tree-sitter-stack-graphs.