From 411f4cb5306d5a3734d4026d618a65e1d975a6c0 Mon Sep 17 00:00:00 2001
From: Boyan Velinov <boyan.velinov@sap.com>
Date: Wed, 27 May 2026 17:58:51 +0300
Subject: [PATCH] Harden Github actions

---
 .github/workflows/check-commit-message.yml |  5 ++++-
 .github/workflows/codeql.yml               | 10 +++++-----
 .github/workflows/main.yml                 |  7 +++++--
 .github/workflows/pull-request-build.yml   | 13 ++++++++-----
 .github/workflows/sonar-scan.yml           |  8 ++++++--
 5 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/check-commit-message.yml b/.github/workflows/check-commit-message.yml
index 4a11e8b0ca..c2bca4641e 100644
--- a/.github/workflows/check-commit-message.yml
+++ b/.github/workflows/check-commit-message.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [ synchronize, opened ]
 
+permissions:
+  pull-requests: read
+
 jobs:
   check_commit_message:
     name: Check Commit Message
@@ -12,7 +15,7 @@ jobs:
     steps:
       - name: Check Commit Message
         id: commits
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const prNumber = context.payload.pull_request.number;
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 683b499ea4..ddf1fdc96f 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -46,17 +46,17 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Setup Java JDK
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
       with:
         java-version: 25
         distribution: 'zulu'
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@f52b05f4acaaa234e44466e66d29050e135ea9ef # v4.36.0
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -70,7 +70,7 @@ jobs:
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v4
+      uses: github/codeql-action/autobuild@f52b05f4acaaa234e44466e66d29050e135ea9ef # v4.36.0
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -83,6 +83,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@f52b05f4acaaa234e44466e66d29050e135ea9ef # v4.36.0
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index d96df78687..39606c4736 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -4,13 +4,16 @@ on:
   push:
    branches: [ "master" ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Set up JDK 25
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
       with:
         java-version: '25'
         distribution: 'zulu'
diff --git a/.github/workflows/pull-request-build.yml b/.github/workflows/pull-request-build.yml
index 9e4f50067a..98c63a4de8 100644
--- a/.github/workflows/pull-request-build.yml
+++ b/.github/workflows/pull-request-build.yml
@@ -5,21 +5,24 @@ on:
     branches: [ master ]
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build and analyze
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
     - name: Set up JDK 25
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
       with:
         java-version: '25'
         distribution: 'zulu'
-        
+
     - name: Cache Maven packages
-      uses: actions/cache@v3
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/sonar-scan.yml b/.github/workflows/sonar-scan.yml
index 75e284574d..80d6d930a8 100644
--- a/.github/workflows/sonar-scan.yml
+++ b/.github/workflows/sonar-scan.yml
@@ -6,13 +6,17 @@ on:
   pull_request:
    branches: [ "master" ]
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Set up JDK 25
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
       with:
         java-version: '25'
         distribution: 'zulu'