chore: fix some scorecards issues (#1766)

jiparis · web-flow · commit 67a0c541ac86 · 2025-01-30T15:52:44.000+01:00
Signed-off-by: Jose I. Paris &lt;jiparis@chainloop.dev&gt;
diff --git a/.github/workflows/build_and_package.yaml b/.github/workflows/build_and_package.yaml
@@ -76,12 +76,12 @@ jobs:
       # install qemu binaries for multiarch builds (needed by goreleaser/buildx)
       - name: Setup qemu
         id: qemu
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
 
       - name: Install Syft
         run: |
           # Install Syft
-          wget --no-verbose https://raw.githubusercontent.com/anchore/syft/main/install.sh -O - | sh -s -- -b /usr/local/bin
+          wget --no-verbose https://raw.githubusercontent.com/anchore/syft/c43f4fb416c34c1c4b3997373689d8d4c0fb9b36/install.sh -O - | sh -s -- -b /usr/local/bin
 
       - name: Run GoReleaser
         id: release
diff --git a/.github/workflows/docs_deploy.yml b/.github/workflows/docs_deploy.yml
@@ -8,6 +8,8 @@ on:
 # Limit to a single workflow
 concurrency: "deploy-to-prod"
 
+permissions: {}
+
 jobs:
   chainloop_init:
     name: Chainloop Init
@@ -36,7 +38,7 @@ jobs:
       - name: Install Syft
         run: |
           # Install Syft
-          wget --no-verbose https://raw.githubusercontent.com/anchore/syft/main/install.sh -O - | sh -s -- -b /usr/local/bin
+          wget --no-verbose https://raw.githubusercontent.com/anchore/syft/c43f4fb416c34c1c4b3997373689d8d4c0fb9b36/install.sh -O - | sh -s -- -b /usr/local/bin
 
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
diff --git a/.github/workflows/docs_test.yml b/.github/workflows/docs_test.yml
@@ -5,6 +5,9 @@ on:
   push:
     branches: ["main"]
     paths: ["docs/**"]
+
+permissions: {}
+
 jobs:
   docs_build_and_test:
     name: Documentation Build and Test
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -14,6 +14,8 @@ on:
       cosign_pass:
         required: true
 
+permissions: {}
+
 jobs:
   # This reusable workflow inspects if the given workflow_name exists on Chainloop. If the Workflow does not exist
   # it will create one with an empty contract ready for operators to be filled. Otherwise, if found, it will just
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -47,7 +47,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
