From 8e03759e2f6f14816d402bbaba0447836bb71261 Mon Sep 17 00:00:00 2001
From: irongut <murray.dave@outlook.com>
Date: Sun, 24 Jul 2022 21:14:28 +0100
Subject: [PATCH 1/5] use StepSecurity Secure Workflows for builds #49

---
 .github/workflows/ci-build.yml      | 13 +++++++++++--
 .github/workflows/release-build.yml | 27 +++++++++++++++++++++------
 2 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
index e0e45be..ae256e2 100644
--- a/.github/workflows/ci-build.yml
+++ b/.github/workflows/ci-build.yml
@@ -6,16 +6,25 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     name: CI Build
     steps:
+    
+    - name: Harden Runner
+      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
 
     - name: Setup .Net
-      uses: actions/setup-dotnet@v1
+      uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87
       with:
         dotnet-version: 6.0.x
 
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index eb1e12c..dae8b11 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -8,18 +8,27 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Test Build
     runs-on: ubuntu-latest
     steps:
+    
+    - name: Harden Runner
+      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       with:
         fetch-depth: 0
 
     - name: Setup .Net
-      uses: actions/setup-dotnet@v1
+      uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87
       with:
         dotnet-version: 6.0.x
 
@@ -40,11 +49,17 @@ jobs:
       contents: read
       packages: write
     steps:
+
+      - name: Harden Runner
+        uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
@@ -52,12 +67,12 @@ jobs:
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@b2391d37b4157fa4aa2e118d643f417910ff3242
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       - name: Build + Push Docker image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
         with:
           context: .
           push: true

From 875e6d6260da79f370c05e9ed311a7e344070ad8 Mon Sep 17 00:00:00 2001
From: irongut <murray.dave@outlook.com>
Date: Sun, 24 Jul 2022 21:22:31 +0100
Subject: [PATCH 2/5] use StepSecurity Secure Workflows for project management
 #49

---
 .github/workflows/assign-to-project.yml | 19 +++++++++++++++----
 .github/workflows/auto-assign-pr.yml    | 13 ++++++++++++-
 .github/workflows/mark-stale.yml        | 15 +++++++++++++--
 .github/workflows/pr-labeler.yml        | 14 +++++++++++++-
 4 files changed, 53 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/assign-to-project.yml b/.github/workflows/assign-to-project.yml
index 89e500e..6742c26 100644
--- a/.github/workflows/assign-to-project.yml
+++ b/.github/workflows/assign-to-project.yml
@@ -8,34 +8,45 @@ on:
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   assign-to-project:
+    permissions:
+      repository-projects: write  # for srggrs/assign-one-project-github-action to assign issues and PRs to repo project
     runs-on: ubuntu-latest
     name: Assign to Project
     steps:
+    
+    - name: Harden Runner
+      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Assign Issues to Bugs
-      uses: srggrs/assign-one-project-github-action@1.3.1
+      uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
       if: contains(github.event.issue.labels.*.name, 'bug')
       with:
         project: 'https://github.com/irongut/CodeCoverageSummary/projects/1'
         column_name: 'Needs triage'
 
     - name: Assign Issues to Enhancements
-      uses: srggrs/assign-one-project-github-action@1.3.1
+      uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
       if: contains(github.event.issue.labels.*.name, 'enhancement')
       with:
         project: 'https://github.com/irongut/CodeCoverageSummary/projects/2'
         column_name: 'To do'
 
     - name: Assign PRs to Bugs
-      uses: srggrs/assign-one-project-github-action@1.3.1
+      uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
       if: contains(github.event.pull_request.labels.*.name, 'bug')
       with:
         project: 'https://github.com/irongut/CodeCoverageSummary/projects/1'
         column_name: 'In Progress'
 
     - name: Assign PRs to Enhancements
-      uses: srggrs/assign-one-project-github-action@1.3.1
+      uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
       if: contains(github.event.pull_request.labels.*.name, 'enhancement')
       with:
         project: 'https://github.com/irongut/CodeCoverageSummary/projects/2'
diff --git a/.github/workflows/auto-assign-pr.yml b/.github/workflows/auto-assign-pr.yml
index cb6e91b..10c7b0e 100644
--- a/.github/workflows/auto-assign-pr.yml
+++ b/.github/workflows/auto-assign-pr.yml
@@ -7,11 +7,22 @@ on:
   pull_request:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   assignAuthor:
+    permissions:
+      pull-requests: write  # for samspills/assign-pr-to-author
     runs-on: ubuntu-latest
     steps:
+
+    - name: Harden Runner
+      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Auto Assign PR
-      uses: samspills/assign-pr-to-author@v1.0.1
+      uses: samspills/assign-pr-to-author@223a87a821f7e7447cfb5221bc53ceeb633341c2
       with:
         repo-token: '${{ secrets.GITHUB_TOKEN }}'
diff --git a/.github/workflows/mark-stale.yml b/.github/workflows/mark-stale.yml
index bdbe3f2..4f2542d 100644
--- a/.github/workflows/mark-stale.yml
+++ b/.github/workflows/mark-stale.yml
@@ -4,14 +4,25 @@ on:
   schedule:
   - cron: "30 1 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   stale:
 
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
-
     steps:
+
+    - name: Harden Runner
+      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Mark Stale
-      uses: actions/stale@v3
+      uses: actions/stale@98ed4cb500039dbcccf4bd9bedada4d0187f2757
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         exempt-all-milestones: true
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
index aa1a9f8..1d21c53 100644
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -7,10 +7,22 @@ name: PR Labeler
 on: 
   pull_request_target:
 
+permissions:
+  contents: read
+
 jobs:
   label:
+    permissions:
+      contents: read  # for actions/labeler to determine modified files
+      pull-requests: write  # for actions/labeler to add labels to PRs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/labeler@v3
+    
+    - name: Harden Runner
+      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/labeler@472c5d3aaacde439785e94966eb2e545627f4935
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"

From e585016ed7560cbc21eadfa7692c600092be67ef Mon Sep 17 00:00:00 2001
From: irongut <murray.dave@outlook.com>
Date: Sun, 24 Jul 2022 21:33:43 +0100
Subject: [PATCH 3/5] remove workflow permissions from assign PR to author #49

---
 .github/workflows/auto-assign-pr.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/auto-assign-pr.yml b/.github/workflows/auto-assign-pr.yml
index 10c7b0e..ddac786 100644
--- a/.github/workflows/auto-assign-pr.yml
+++ b/.github/workflows/auto-assign-pr.yml
@@ -7,13 +7,13 @@ on:
   pull_request:
     types: [opened]
 
-permissions:
-  contents: read
+# permissions:
+#  contents: read
 
 jobs:
   assignAuthor:
-    permissions:
-      pull-requests: write  # for samspills/assign-pr-to-author
+#    permissions:
+#      pull-requests: write  # for samspills/assign-pr-to-author
     runs-on: ubuntu-latest
     steps:
 

From 4149d3cd4234fc494648fe6816e775fc4a1cd1e8 Mon Sep 17 00:00:00 2001
From: irongut <murray.dave@outlook.com>
Date: Sun, 24 Jul 2022 21:40:38 +0100
Subject: [PATCH 4/5] remove workflow permissions from assign PR to author #49

---
 .github/workflows/auto-assign-pr.yml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/.github/workflows/auto-assign-pr.yml b/.github/workflows/auto-assign-pr.yml
index ddac786..c3b5483 100644
--- a/.github/workflows/auto-assign-pr.yml
+++ b/.github/workflows/auto-assign-pr.yml
@@ -7,13 +7,8 @@ on:
   pull_request:
     types: [opened]
 
-# permissions:
-#  contents: read
-
 jobs:
   assignAuthor:
-#    permissions:
-#      pull-requests: write  # for samspills/assign-pr-to-author
     runs-on: ubuntu-latest
     steps:
 

From 7ede3df5123a9c5e1f595699bfb55edab6524090 Mon Sep 17 00:00:00 2001
From: irongut <murray.dave@outlook.com>
Date: Sun, 24 Jul 2022 21:56:20 +0100
Subject: [PATCH 5/5] add permissions to assign PR to author #49

---
 .github/workflows/auto-assign-pr.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/auto-assign-pr.yml b/.github/workflows/auto-assign-pr.yml
index c3b5483..b923fd6 100644
--- a/.github/workflows/auto-assign-pr.yml
+++ b/.github/workflows/auto-assign-pr.yml
@@ -7,8 +7,13 @@ on:
   pull_request:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   assignAuthor:
+    permissions:
+      issues: write  # for samspills/assign-pr-to-author
     runs-on: ubuntu-latest
     steps: