From e2098d0baabeae9d68610c03e96ef486168aa9d4 Mon Sep 17 00:00:00 2001
From: Drew Roen <drewroen@google.com>
Date: Fri, 27 May 2022 21:35:22 +0000
Subject: [PATCH] Pin actions to hash instead of version, also default all
 permissions to read

---
 .github/workflows/build.yml                       |  5 ++++-
 .github/workflows/mirror.yml                      |  3 +++
 .github/workflows/release_deploy_play_store.yml   |  7 +++++--
 .github/workflows/release_deploy_web.yml          |  7 +++++--
 .../workflows/release_draft_github_release.yml    | 15 +++++++++------
 .github/workflows/test.yml                        | 11 +++++++----
 6 files changed, 33 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 59f44a2254..60bcd20a5b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,6 +5,9 @@ on:
       - main
   pull_request:
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     name: Build ${{ matrix.target }}
@@ -24,7 +27,7 @@ jobs:
 
       # Checkout gallery code and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter pub get -v
 
       - run: flutter build ${{ matrix.target }}
diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
index ff48d8db76..586ce23064 100644
--- a/.github/workflows/mirror.yml
+++ b/.github/workflows/mirror.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - 'main'
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   mirror_job:
     permissions:
diff --git a/.github/workflows/release_deploy_play_store.yml b/.github/workflows/release_deploy_play_store.yml
index 37a25804df..94dddc4f60 100644
--- a/.github/workflows/release_deploy_play_store.yml
+++ b/.github/workflows/release_deploy_play_store.yml
@@ -12,6 +12,9 @@ on:
     tags:
       - "v*"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   fastlane-deploy:
     runs-on: ubuntu-18.04
@@ -25,12 +28,12 @@ jobs:
 
       # Checkout gallery code and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter pub get
 
       # Setup Ruby, Bundler, and Gemfile dependencies
       - name: Setup Fastlane
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@8029ebd6e5bd8f4e0d6f7623ea76a01ec5b1010d
         with:
           ruby-version: "2.6"
           bundler-cache: true
diff --git a/.github/workflows/release_deploy_web.yml b/.github/workflows/release_deploy_web.yml
index b9b361f316..a0bc35cc34 100644
--- a/.github/workflows/release_deploy_web.yml
+++ b/.github/workflows/release_deploy_web.yml
@@ -12,6 +12,9 @@ on:
     tags:
       - "v*"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build-and-deploy:
     runs-on: ubuntu-18.04
@@ -24,14 +27,14 @@ jobs:
       - run: flutter doctor -v
 
       - name: Install web dependencies
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e
         with:
           node-version: "14"
       - run: npm install -g firebase-tools
 
       # Checkout gallery code and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter pub get
 
       # Build and deploy (by default, to staging).
diff --git a/.github/workflows/release_draft_github_release.yml b/.github/workflows/release_draft_github_release.yml
index c591f95541..456bdad309 100644
--- a/.github/workflows/release_draft_github_release.yml
+++ b/.github/workflows/release_draft_github_release.yml
@@ -7,6 +7,9 @@ on:
     tags:
       - "v*"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   generate-changelog:
     name: Generate changelog
@@ -25,7 +28,7 @@ jobs:
           future_release: ${{ github.ref }}
           since_tag: ${{ steps.get_latest_release.outputs.release }}
       - name: Upload changelog
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2
         with:
           name: changelog
           path: CHANGELOG.md
@@ -38,12 +41,12 @@ jobs:
       upload_url: ${{ steps.create_release.outputs.upload_url }}
     steps:
       - name: Download changelog
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@f023be2c48cc18debc3bacd34cb396e0295e2869
         with:
           name: changelog
       - name: Draft release with changelog
         id: create_release
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e
         env:
           GITHUB_TOKEN: ${{ secrets.FLUTTERGALLERYRELEASEBOT_TOKEN }}
         with:
@@ -101,7 +104,7 @@ jobs:
           sudo apt-get install -y libgtk-3-dev libx11-dev pkg-config cmake ninja-build libblkid-dev
       - name: Install Android dependencies
         if: matrix.target == 'Android'
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@e54a62b3df9364d4b4c1c29c7225e57fe605d7dd
         with:
           java-version: "12.x"
       - name: Enable desktop support
@@ -113,7 +116,7 @@ jobs:
       - run: flutter doctor -v
       # Checkout gallery code, recreate missing files, and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter create .
       - run: flutter pub get
 
@@ -163,7 +166,7 @@ jobs:
       # Upload the build.
       - name: Add packaged build to release draft
         id: upload_release_asset
-        uses: actions/upload-release-asset@v1
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5
         env:
           GITHUB_TOKEN: ${{ secrets.FLUTTERGALLERYRELEASEBOT_TOKEN }}
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c145d64680..1f9121a0a7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -5,6 +5,9 @@ on:
       - main
   pull_request:
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   unit-test:
     name: Unit tests on ${{ matrix.os }}
@@ -22,7 +25,7 @@ jobs:
 
       # Checkout gallery code and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter pub get -v
 
       # Analyze, check formatting, and run unit tests.
@@ -46,7 +49,7 @@ jobs:
 
       # Checkout gallery code and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter pub get -v
 
       - run: flutter test test_benchmarks
@@ -64,13 +67,13 @@ jobs:
 
       # Checkout gallery code and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter pub get -v
 
       # Run the golden tests and upload failed test artifacts.
       - run: flutter test test_goldens
       - name: Upload goldens if tests fail
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@34622df80861c3ed63eb2bff892de2f1fbf4c9da
         if: failure()
         with:
           name: goldens