From ca0966543ef411ddc02dbfe6d99fd932769a651b Mon Sep 17 00:00:00 2001
From: harshitasao <harshitasao@gmail.com>
Date: Sun, 18 Aug 2024 01:27:46 +0530
Subject: [PATCH 1/2] fixed the token-permission and pinned-dependencies issue

Signed-off-by: harshitasao <harshitasao@gmail.com>
---
 .github/workflows/ci.yml                        | 3 +++
 .github/workflows/codeql.yaml                   | 3 +++
 .github/workflows/codespell.yml                 | 3 +++
 .github/workflows/engine-version-weakcheck.yaml | 3 +++
 .github/workflows/insecure-api.yaml             | 3 +++
 .github/workflows/master.yaml                   | 3 +++
 .github/workflows/release.yaml                  | 5 ++++-
 .github/workflows/reusable_build_dev.yaml       | 3 +++
 .github/workflows/reusable_build_docker.yaml    | 3 +++
 .github/workflows/reusable_build_packages.yaml  | 3 +++
 .github/workflows/reusable_fetch_version.yaml   | 3 +++
 .github/workflows/reusable_test_packages.yaml   | 5 ++++-
 .github/workflows/staticanalysis.yaml           | 3 +++
 13 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9c202fff559..5d169f0b7f0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.head_ref || github.run_id }}
   cancel-in-progress: true  
 
+permissions:  
+  contents: read
+  
 jobs:
   fetch-version:
     uses: ./.github/workflows/reusable_fetch_version.yaml
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index 1b1dd4bbfaa..29da3aaf4c6 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -18,6 +18,9 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ "master" ]
 
+permissions:  
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index fb986c11c64..ca85796ca2f 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -1,6 +1,9 @@
 name: Codespell
 on:
   pull_request:
+permissions:  
+  contents: read
+
 jobs:
   codespell:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/engine-version-weakcheck.yaml b/.github/workflows/engine-version-weakcheck.yaml
index 64103bf7aed..649502b2093 100644
--- a/.github/workflows/engine-version-weakcheck.yaml
+++ b/.github/workflows/engine-version-weakcheck.yaml
@@ -9,6 +9,9 @@ on:
       - 'userspace/engine/*.cpp'
       - 'userspace/engine/*.h'
 
+permissions:  
+  contents: read
+
 jobs:
   paths-filter:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/insecure-api.yaml b/.github/workflows/insecure-api.yaml
index 8fbf02aa3f7..e089df6f86a 100644
--- a/.github/workflows/insecure-api.yaml
+++ b/.github/workflows/insecure-api.yaml
@@ -6,6 +6,9 @@ on:
       - 'release/**'
       - 'maintainers/**'
 
+permissions:  
+  contents: read
+
 jobs:
   insecure-api:
     name: check-insecure-api
diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml
index 37f9ed8c04b..e133d660516 100644
--- a/.github/workflows/master.yaml
+++ b/.github/workflows/master.yaml
@@ -8,6 +8,9 @@ concurrency:
   group: ci-master
   cancel-in-progress: true  
 
+permissions:  
+  contents: read
+
 jobs:
   fetch-version:
     uses: ./.github/workflows/reusable_fetch_version.yaml 
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index af05dd2b527..726e2e78fbd 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -8,6 +8,9 @@ concurrency:
   group: ci-release
   cancel-in-progress: true  
 
+permissions:  
+  contents: read
+  
 jobs:
   release-settings:
     runs-on: ubuntu-latest
@@ -16,7 +19,7 @@ jobs:
       bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
     steps:
       - name: Get latest release
-        uses: rez0n/actions-github-release@v2.0
+        uses: rez0n/actions-github-release@27a57820ee808f8fd940c8a9d1f7188f854aa2b5 # v2.0
         id: latest_release
         env:
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/reusable_build_dev.yaml b/.github/workflows/reusable_build_dev.yaml
index 56d6d803d04..9d0a1428fc7 100644
--- a/.github/workflows/reusable_build_dev.yaml
+++ b/.github/workflows/reusable_build_dev.yaml
@@ -33,6 +33,9 @@ on:
         default: ''
         type: string
 
+permissions: 
+  contents: read
+
 jobs:
   build-and-test:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml
index f2dab156858..2bb77560fec 100644
--- a/.github/workflows/reusable_build_docker.yaml
+++ b/.github/workflows/reusable_build_docker.yaml
@@ -24,6 +24,9 @@ on:
 # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
 # In this way, we don't need to publish any arch specific image, 
 # and this "build" workflow is actually only building images.
+permissions:  
+  contents: read
+
 jobs:
   build-docker:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml
index 62eb7f57dfb..bc4fe02b5de 100644
--- a/.github/workflows/reusable_build_packages.yaml
+++ b/.github/workflows/reusable_build_packages.yaml
@@ -21,6 +21,9 @@ on:
         type: boolean
         default: false
 
+permissions:  
+  contents: read
+
 jobs:
   build-modern-bpf-skeleton:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
diff --git a/.github/workflows/reusable_fetch_version.yaml b/.github/workflows/reusable_fetch_version.yaml
index 6eeee4014fb..16dccd15331 100644
--- a/.github/workflows/reusable_fetch_version.yaml
+++ b/.github/workflows/reusable_fetch_version.yaml
@@ -6,6 +6,9 @@ on:
         description: "Falco version"
         value: ${{ jobs.fetch-version.outputs.version }}
 
+permissions:  
+  contents: read
+
 jobs:
   # We need to use an ubuntu-latest to fetch Falco version because
   # Falco version is computed by some cmake scripts that do git sorceries
diff --git a/.github/workflows/reusable_test_packages.yaml b/.github/workflows/reusable_test_packages.yaml
index efb0d12cf89..e90c40515e4 100644
--- a/.github/workflows/reusable_test_packages.yaml
+++ b/.github/workflows/reusable_test_packages.yaml
@@ -21,6 +21,9 @@ on:
         default: false
         type: boolean
 
+permissions:  
+  contents: read
+  
 jobs:
   test-packages:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
@@ -54,7 +57,7 @@ jobs:
       - name: Run tests
         env:
           LSAN_OPTIONS: "intercept_tls_get_addr=0"
-        uses: falcosecurity/testing@main    
+        uses: falcosecurity/testing@32e319ae505fb330ae74db4502e605a5e517ff22 # main    
         with:
           test-falco: 'true'
           test-falcoctl: 'true'
diff --git a/.github/workflows/staticanalysis.yaml b/.github/workflows/staticanalysis.yaml
index 578406b6d19..a66c285a4d5 100644
--- a/.github/workflows/staticanalysis.yaml
+++ b/.github/workflows/staticanalysis.yaml
@@ -1,6 +1,9 @@
 name: StaticAnalysis
 on:
   pull_request:
+permissions:  
+  contents: read
+
 jobs:
   staticanalysis:
     runs-on: ubuntu-22.04

From 32083f83763cda41e68caa7a0a4ed3cbdbdcc321 Mon Sep 17 00:00:00 2001
From: harshitasao <harshitasao@gmail.com>
Date: Thu, 29 Aug 2024 03:47:18 +0530
Subject: [PATCH 2/2] made required changes

Signed-off-by: harshitasao <harshitasao@gmail.com>
---
 .github/workflows/codespell.yml               | 1 +
 .github/workflows/reusable_build_docker.yaml  | 1 +
 .github/workflows/reusable_test_packages.yaml | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index ca85796ca2f..b5563c767ea 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -1,6 +1,7 @@
 name: Codespell
 on:
   pull_request:
+    
 permissions:  
   contents: read
 
diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml
index 2bb77560fec..21d0ff57a30 100644
--- a/.github/workflows/reusable_build_docker.yaml
+++ b/.github/workflows/reusable_build_docker.yaml
@@ -24,6 +24,7 @@ on:
 # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
 # In this way, we don't need to publish any arch specific image, 
 # and this "build" workflow is actually only building images.
+
 permissions:  
   contents: read
 
diff --git a/.github/workflows/reusable_test_packages.yaml b/.github/workflows/reusable_test_packages.yaml
index e90c40515e4..6c146688537 100644
--- a/.github/workflows/reusable_test_packages.yaml
+++ b/.github/workflows/reusable_test_packages.yaml
@@ -57,7 +57,7 @@ jobs:
       - name: Run tests
         env:
           LSAN_OPTIONS: "intercept_tls_get_addr=0"
-        uses: falcosecurity/testing@32e319ae505fb330ae74db4502e605a5e517ff22 # main    
+        uses: falcosecurity/testing@main 
         with:
           test-falco: 'true'
           test-falcoctl: 'true'