Repo security upgrades (#1699)

Co-authored-by: Robert <[email protected]>
bugsnag · Oct 23, 2024 · 0e9af66 · 0e9af66
1 parent 324975f
commit 0e9af66
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 5 deletions.
diff --git a/.github/workflows/downstream_updates.yml b/.github/workflows/downstream_updates.yml
@@ -9,6 +9,7 @@ on:
         description: 'Version of the submodule to update downstream repos to'
         required: true
         type: string
+permissions: read-all
 
 jobs:
   update-dependencies:

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -1,16 +1,19 @@
 name: "Pull Request"
 on: [pull_request]
+permissions: read-all
 
 jobs:
 
   analyze:
+    permissions:
+      statuses: write
     runs-on: macos-14
     env:
       # Infer 1.0.1 cannot parse the iOS 15 SDK headers
       DEVELOPER_DIR: /Applications/Xcode_15.4.app
     steps:
     - name: Checkout pull request HEAD
-      uses: actions/checkout@v2
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       with:
         ref: ${{ github.event.pull_request.head.sha }}
     - name: Install dependencies
@@ -21,16 +24,19 @@ jobs:
       run: make oclint
 
   danger:
+    permissions:
+      pull-requests: write
+      statuses: write
     runs-on: macos-14
     steps:
     - name: Checkout target branch
-      uses: actions/checkout@v2
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       with:
         ref: ${{ github.base_ref }}
     - name: Build framework
       run: xcodebuild -project Bugsnag.xcodeproj -configuration Release -target Bugsnag-iOS -destination generic/platform=iOS -quiet clean build VALID_ARCHS=arm64 RUN_CLANG_STATIC_ANALYZER=NO && mv build build.base
     - name: Checkout pull request merge branch
-      uses: actions/checkout@v2
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       with:
         clean: false
         fetch-depth: 100

diff --git a/.github/workflows/update_docs.yml b/.github/workflows/update_docs.yml
@@ -2,16 +2,17 @@ name: "Update Docs"
 on:
   release:
     types: [published]
+permissions: read-all
 
 jobs:
   build:
     runs-on: macos-latest
     steps:
       - name: Checkout bugsnag-cocoa
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       - name: Checkout docs branch
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
         with:
           ref: gh-pages
           path: docs

diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1 @@
+*       @robert-smartbear @kstenerud @tomlongridge