Security harden the workflows

paulbalandan · paulbalandan · commit 1b2795ac7a71 · 2026-04-21T21:29:55.000+08:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -10,9 +10,8 @@ updates:
   - package-ecosystem: github-actions
     directory: /
     schedule:
-      interval: daily
-    ignore:
-      - dependency-name: '*'
-        update-types:
-          - version-update:semver-minor
-          - version-update:semver-patch
+      interval: weekly
+    groups:
+      actions:
+        patterns:
+          - '*'
diff --git a/.github/workflows/auto-review.yml b/.github/workflows/auto-review.yml
@@ -18,6 +18,9 @@ on:
       - tests/**
       - .github/workflows/auto-review.yml
 
+permissions:
+  contents: read
+
 concurrency:
   group: auto-review-${{ github.ref }}
   cancel-in-progress: true
@@ -27,6 +30,7 @@ jobs:
     name: Automatic Review on Code [PHP ${{ matrix.php-version }}]
     runs-on: ubuntu-24.04
     if: github.repository == 'codeigniter4/translations'
+    timeout-minutes: 15
 
     strategy:
       fail-fast: false
@@ -40,10 +44,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
         with:
           php-version: ${{ matrix.php-version }}
           extensions: intl, mbstring
@@ -56,7 +62,7 @@ jobs:
         run: echo "COMPOSER_CACHE_FILES_DIR=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
       - name: Cache composer dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ${{ steps.composer-cache.outputs.COMPOSER_CACHE_FILES_DIR }}
           key: composer-PHP_${{ matrix.php-version }}-${{ hashFiles('**/composer.json') }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -32,6 +32,7 @@ jobs:
     name: Build [PHP ${{ matrix.php-version }}]
     runs-on: ubuntu-24.04
     if: github.repository == 'codeigniter4/translations'
+    timeout-minutes: 20
 
     strategy:
       fail-fast: false
@@ -40,16 +41,17 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 2
+          persist-credentials: false
 
       - name: Checkout other refs
         run: |
           git fetch --no-tags --prune --depth=2 origin +refs/heads/*:refs/remotes/origin/*
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
         with:
           php-version: ${{ matrix.php-version }}
           extensions: intl, mbstring
@@ -62,7 +64,7 @@ jobs:
         run: echo "COMPOSER_CACHE_FILES_DIR=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
       - name: Cache composer dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ${{ steps.composer-cache.outputs.COMPOSER_CACHE_FILES_DIR }}
           key: composer-PHP_${{ matrix.php-version }}-${{ hashFiles('**/composer.json') }}
diff --git a/.github/workflows/code-style.yml b/.github/workflows/code-style.yml
@@ -34,6 +34,7 @@ jobs:
     name: Code Style Check [PHP ${{ matrix.php-version }}]
     runs-on: ubuntu-24.04
     if: github.repository == 'codeigniter4/translations'
+    timeout-minutes: 10
 
     strategy:
       fail-fast: false
@@ -42,10 +43,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
         with:
           php-version: ${{ matrix.php-version }}
           extensions: tokenizer
@@ -58,7 +61,7 @@ jobs:
         run: echo "COMPOSER_CACHE_FILES_DIR=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
       - name: Cache composer dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ${{ steps.composer-cache.outputs.COMPOSER_CACHE_FILES_DIR }}
           key: composer-PHP_${{ matrix.php-version }}-${{ hashFiles('**/composer.json') }}
diff --git a/.github/workflows/generate-page.yml b/.github/workflows/generate-page.yml
@@ -27,13 +27,16 @@ jobs:
   build:
     runs-on: ubuntu-24.04
     if: github.repository == 'codeigniter4/translations'
+    timeout-minutes: 15
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
         with:
           php-version: '8.2'
           extensions: intl, mbstring
@@ -46,7 +49,7 @@ jobs:
         run: echo "COMPOSER_CACHE_FILES_DIR=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
       - name: Cache composer dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ${{ steps.composer-cache.outputs.COMPOSER_CACHE_FILES_DIR }}
           key: composer-PHP_8.2-${{ hashFiles('**/composer.json') }}
@@ -59,13 +62,13 @@ jobs:
 
       - name: Setup Pages
         id: pages
-        uses: actions/configure-pages@v6
+        uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
 
       - name: Build
         run: ./bin/generate-page
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v5
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
         with:
           path: ./page/build
 
@@ -76,7 +79,9 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-24.04
     needs: build
+    timeout-minutes: 10
+
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v5
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
