updates

cpanato · cpanato · commit 2fadba94fcc4 · 2025-05-15T18:48:13.000+02:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml
@@ -7,12 +7,16 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
-jobs:
+permissions: {}
 
+jobs:
   action-lint:
     name: Action lint
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read # To read the repo contents
+
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -21,6 +25,8 @@ jobs:
 
       - name: Check out code
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          persist-credentials: false
 
       - name: Find yamls
         id: get_yamls
diff --git a/.github/workflows/ghaudit.yaml b/.github/workflows/ghaudit.yaml
@@ -6,14 +6,14 @@ on:
 
 name: GitHub Audit
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   ghaudit:
     runs-on: ubuntu-latest
 
     permissions:
+      contents: read # To read the repo contents
       id-token: write # To federate with Octo STS
 
     steps:
@@ -29,23 +29,23 @@ jobs:
         identity: ghaudit
 
     - name: Deploy Keys
-      uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # main
+      uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # # v0.0.1
       env:
         GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
       with:
         packages: ghaudit
         command: ghaudit org -o ${{ github.repository_owner }} deploy-keys
 
     - name: Branch Protections
-      uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # main
+      uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # # v0.0.1
       env:
         GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
       with:
         packages: ghaudit
         command: ghaudit org -o ${{ github.repository_owner }} branch-protections
 
     - name: Default Permissions
-      uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # main
+      uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # v0.0.1
       env:
         GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
       with:
