From 93a0e1ceff055d943129d0b07108c61b8cfe48d1 Mon Sep 17 00:00:00 2001
From: Charlie Collett <charlie.collett@ucop.edu>
Date: Wed, 19 Feb 2025 12:11:23 -0800
Subject: [PATCH] Add permissions and 3rd-party pinning

---
 .github/workflows/ci.yml                   | 6 +++++-
 .github/workflows/code-analysis.yml        | 3 +++
 .github/workflows/compatability-matrix.yml | 3 +++
 .github/workflows/docker-matrix.yml        | 6 +++++-
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 63b2b0d..932f3e7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -14,7 +17,8 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Set up Docker Build
-      uses: docker/setup-buildx-action@v3.4.0
+      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0 
+      # update w/ git ls-remote https://github.com/docker/setup-buildx-action.git | grep refs/tags/v
 
     - name: Build current Docker image with tests
       run: |
diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml
index 3f1ab64..bc81f99 100644
--- a/.github/workflows/code-analysis.yml
+++ b/.github/workflows/code-analysis.yml
@@ -1,5 +1,8 @@
 name: Code Analysis
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/compatability-matrix.yml b/.github/workflows/compatability-matrix.yml
index ff7b076..87ba7b1 100644
--- a/.github/workflows/compatability-matrix.yml
+++ b/.github/workflows/compatability-matrix.yml
@@ -1,5 +1,8 @@
 name: Compatibility Matrix
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
 
diff --git a/.github/workflows/docker-matrix.yml b/.github/workflows/docker-matrix.yml
index e874b96..a49dcef 100644
--- a/.github/workflows/docker-matrix.yml
+++ b/.github/workflows/docker-matrix.yml
@@ -1,5 +1,8 @@
 name: Docker Matrix
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
 
@@ -18,7 +21,8 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Set up Docker Build
-      uses: docker/setup-buildx-action@v3.4.0
+      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca  # v3.9.0 
+      # update w/ git ls-remote https://github.com/docker/setup-buildx-action.git | grep refs/tags/v
 
     - name: Build current Docker image with tests
       run: |