Update workflow based on zizmor audit

TurboWarp · Dec 25, 2024 · 4800d92 · 4800d92
1 parent 615b669
commit 4800d92
Showing 1 changed file with 12 additions and 11 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -7,11 +7,6 @@ on:
   schedule:
     - cron: '52 18 * * 2'
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 concurrency:
   group: "deploy"
   cancel-in-progress: true
@@ -21,17 +16,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout self
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      with:
+        persist-credentials: false
     - name: Checkout scratch-gui
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         repository: TurboWarp/scratch-gui
         path: scratch-gui
+        persist-credentials: false
     - name: Setup GitHub Pages
       id: pages
-      uses: actions/configure-pages@v4
+      uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b
     - name: Install Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
       with:
         node-version: 20
     - name: Build
@@ -42,7 +40,7 @@ jobs:
     - name: Patch
       run: python3 patch.py
     - name: Upload pages artifact
-      uses: actions/upload-pages-artifact@v3
+      uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa
       with:
         path: ./scratch-gui/build/
         retention-days: 30
@@ -51,9 +49,12 @@ jobs:
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
+    permissions:
+      pages: write
+      id-token: write
     runs-on: ubuntu-latest
     needs: build
     steps:
     - name: Deploy to GitHub Pages
       id: deployment
-      uses: actions/deploy-pages@v4
+      uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e