Secure workflows as suggested by Code scanning alerts of RestrictedPython. (#298)

icemac · web-flow · commit 55111d5661ac · 2025-01-28T08:19:06.000+01:00
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -15,19 +15,22 @@ env:
 
 jobs:
   pre-commit:
+    permissions:
+      contents: read
+      pull-requests: write
     name: linting
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
     - uses: actions/setup-python@v5
       with:
         python-version: 3.x
-    - uses: pre-commit/action@v3.0.1
+    - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  #v3.0.1
       with:
         extra_args: --all-files --show-diff-on-failure
       env:
         PRE_COMMIT_COLOR: always
-    - uses: pre-commit-ci/lite-action@v1.1.0
+    - uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43  #v1.1.0
       if: always()
       with:
         msg: Apply pre-commit code formatting
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -12,6 +12,9 @@ on:
 
 jobs:
   build:
+    permissions:
+      contents: read
+      pull-requests: write
     strategy:
       # We want to see all failures:
       fail-fast: false
diff --git a/.meta.toml b/.meta.toml
@@ -2,7 +2,7 @@
 # https://github.com/zopefoundation/meta/tree/master/config/pure-python
 [meta]
 template = "pure-python"
-commit-id = "09c35441"
+commit-id = "c95980ef"
 
 [python]
 with-windows = false
diff --git a/src/zope/meta/default/pre-commit.yml.j2 b/src/zope/meta/default/pre-commit.yml.j2
@@ -13,19 +13,22 @@ env:
 
 jobs:
   pre-commit:
+    permissions:
+      contents: read
+      pull-requests: write
     name: linting
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
     - uses: actions/setup-python@v5
       with:
         python-version: 3.x
-    - uses: pre-commit/action@v3.0.1
+    - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  #v3.0.1
       with:
         extra_args: --all-files --show-diff-on-failure
       env:
         PRE_COMMIT_COLOR: always
-    - uses: pre-commit-ci/lite-action@v1.1.0
+    - uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43  #v1.1.0
       if: always()
       with:
         msg: Apply pre-commit code formatting
diff --git a/src/zope/meta/default/tests.yml.j2 b/src/zope/meta/default/tests.yml.j2
@@ -15,6 +15,9 @@ on:
 
 jobs:
   build:
+    permissions:
+      contents: read
+      pull-requests: write
 {% if gha_services %}
     services:
 {% for line in gha_services %}
