From 7aee0b6d3e632a26e29329845dd8bd5acc730a90 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Tue, 10 Oct 2023 03:25:16 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/publish-undici-types.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish-undici-types.yml b/.github/workflows/publish-undici-types.yml
index 27d2d24f76e..95209964336 100644
--- a/.github/workflows/publish-undici-types.yml
+++ b/.github/workflows/publish-undici-types.yml
@@ -4,12 +4,15 @@ on:
       - 'v*'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
           node-version: '16.x'
           registry-url: 'https://registry.npmjs.org'