From 4e523ef089da66312b0ea13d1a8ca602b39a916b Mon Sep 17 00:00:00 2001
From: Claas Augner <caugner@mozilla.com>
Date: Tue, 28 Jan 2025 16:27:15 +0100
Subject: [PATCH 1/2] fix(workflows): assign explicit permissions

---
 .github/workflows/issue-regex-labeler.yml | 4 ++++
 .github/workflows/pr-reviewdog.yml        | 4 ++++
 .github/workflows/release-pr.yml          | 4 ++++
 .github/workflows/update-mdn-urls.yml     | 4 ++++
 .github/workflows/update-web-features.yml | 4 ++++
 5 files changed, 20 insertions(+)

diff --git a/.github/workflows/issue-regex-labeler.yml b/.github/workflows/issue-regex-labeler.yml
index da011933944997..6394fa486f8642 100644
--- a/.github/workflows/issue-regex-labeler.yml
+++ b/.github/workflows/issue-regex-labeler.yml
@@ -4,6 +4,10 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   issue-labeler:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-reviewdog.yml b/.github/workflows/pr-reviewdog.yml
index d2c85e51013586..4e87b43daea40e 100644
--- a/.github/workflows/pr-reviewdog.yml
+++ b/.github/workflows/pr-reviewdog.yml
@@ -4,6 +4,10 @@ on:
   pull_request_target:
     branches: ["main"]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   fix:
     name: Fix
diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml
index 83b4f59bc6799c..d41b0bdefd58b6 100644
--- a/.github/workflows/release-pr.yml
+++ b/.github/workflows/release-pr.yml
@@ -6,6 +6,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+  pull-requests: write
+
 env:
   GH_TOKEN: ${{ secrets.GH_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
diff --git a/.github/workflows/update-mdn-urls.yml b/.github/workflows/update-mdn-urls.yml
index 74f727a1fe3ba6..769f72899a4861 100644
--- a/.github/workflows/update-mdn-urls.yml
+++ b/.github/workflows/update-mdn-urls.yml
@@ -5,6 +5,10 @@ on:
     paths:
       - "package-lock.json"
 
+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
   update-mdn-urls:
     if: github.repository == 'mdn/browser-compat-data' && github.event.pull_request.user.login == 'dependabot[bot]' && startsWith(github.head_ref, 'dependabot/npm_and_yarn/ddbeck/mdn-content-inventory-')
diff --git a/.github/workflows/update-web-features.yml b/.github/workflows/update-web-features.yml
index c02639d32573f1..5517f06c142f25 100644
--- a/.github/workflows/update-web-features.yml
+++ b/.github/workflows/update-web-features.yml
@@ -6,6 +6,10 @@ on:
   schedule:
     - cron: "30 4 * * 1-5"
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   update-web-features:
     if: github.repository == 'mdn/browser-compat-data'

From acc15a3adb7b40ea12cf33647eb8fe8ba9aee6a9 Mon Sep 17 00:00:00 2001
From: Claas Augner <caugner@mozilla.com>
Date: Tue, 28 Jan 2025 16:51:13 +0100
Subject: [PATCH 2/2] fix(workflows): pin 3rd party actions

---
 .github/workflows/close-incomplete-issues.yml | 4 ++--
 .github/workflows/labeler.yml                 | 2 +-
 .github/workflows/ping-other-repos.yml        | 2 +-
 .github/workflows/pr-reviewdog.yml            | 2 +-
 .github/workflows/update-browser-releases.yml | 2 +-
 .github/workflows/update-web-features.yml     | 2 +-
 6 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/close-incomplete-issues.yml b/.github/workflows/close-incomplete-issues.yml
index 81929d4c615464..3d262ce1b1d254 100644
--- a/.github/workflows/close-incomplete-issues.yml
+++ b/.github/workflows/close-incomplete-issues.yml
@@ -11,7 +11,7 @@ jobs:
   close-issues-if-invalid:
     runs-on: ubuntu-latest
     steps:
-      - uses: queengooborg/invalid-issue-closer@v1.5.4
+      - uses: queengooborg/invalid-issue-closer@d79a4ae7685cfab213be15f0e39fbd4533e3d822 # v1.5.4
         id: spam-check
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -21,7 +21,7 @@ jobs:
             This issue has been identified as spam and has been automatically closed and locked.  Do not use this repository for posting spam.
           normalize-newlines: true
           body-is-blank: true
-      - uses: queengooborg/invalid-issue-closer@v1.5.4
+      - uses: queengooborg/invalid-issue-closer@d79a4ae7685cfab213be15f0e39fbd4533e3d822 # v1.5.4
         if: steps.spam-check.outputs.was-closed == 'false'
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 4203762dd5c0af..9aa2ea2c783505 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -21,7 +21,7 @@ jobs:
     needs: label-py-path
     runs-on: ubuntu-latest
     steps:
-      - uses: codelytv/pr-size-labeler@v1
+      - uses: codelytv/pr-size-labeler@1c3422395d899286d5ee2c809fd5aed264d5eb9b # v1.10.2
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           github_api_url: "https://api.github.com"
diff --git a/.github/workflows/ping-other-repos.yml b/.github/workflows/ping-other-repos.yml
index 332f3e424d9031..9d0a44be4c5fab 100644
--- a/.github/workflows/ping-other-repos.yml
+++ b/.github/workflows/ping-other-repos.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Ping w3c/mdn-spec-links
         # This is one of many possible repos we can ping. When adding other
         # repos, you can follow this w3c/mdn-spec-links one as an example.
-        uses: peter-evans/repository-dispatch@v3
+        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
         with:
           token: ${{ secrets.SIDESHOWBARKER }}
           repository: w3c/mdn-spec-links
diff --git a/.github/workflows/pr-reviewdog.yml b/.github/workflows/pr-reviewdog.yml
index 4e87b43daea40e..b39b8931848c21 100644
--- a/.github/workflows/pr-reviewdog.yml
+++ b/.github/workflows/pr-reviewdog.yml
@@ -51,7 +51,7 @@ jobs:
           name: diff
 
       - name: Setup
-        uses: reviewdog/action-setup@v1
+        uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0
         with:
           reviewdog_version: latest
 
diff --git a/.github/workflows/update-browser-releases.yml b/.github/workflows/update-browser-releases.yml
index 031fbebff66182..597dd356d51d32 100644
--- a/.github/workflows/update-browser-releases.yml
+++ b/.github/workflows/update-browser-releases.yml
@@ -34,7 +34,7 @@ jobs:
           npm run update-browser-releases -- --all >> $GITHUB_ENV
           echo "EOF" >> $GITHUB_ENV
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
         with:
           token: ${{ secrets.GH_TOKEN }} # need the rights to create and edit PRs
           commit-message: Update browser releases
diff --git a/.github/workflows/update-web-features.yml b/.github/workflows/update-web-features.yml
index 5517f06c142f25..1dba6e5a1a9c2b 100644
--- a/.github/workflows/update-web-features.yml
+++ b/.github/workflows/update-web-features.yml
@@ -44,7 +44,7 @@ jobs:
           echo "EOF" >> $GITHUB_ENV
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
         with:
           token: ${{ secrets.GH_TOKEN }} # need the rights to create and edit PRs
           commit-message: Update web-features tags