Pin actions to hash instead of version, also default all permissions …

.github/workflows/build.yml

@@ -5,6 +5,9 @@ on:
       - main
   pull_request:
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     name: Build ${{ matrix.target }}
@@ -24,7 +27,7 @@ jobs:
 
       # Checkout gallery code and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter pub get -v
 
       - run: flutter build ${{ matrix.target }}

.github/workflows/mirror.yml

@@ -8,6 +8,9 @@ on:
     branches:
       - 'main'
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   mirror_job:
     permissions:

.github/workflows/release_deploy_play_store.yml

@@ -12,6 +12,9 @@ on:
     tags:
       - "v*"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   fastlane-deploy:
     runs-on: ubuntu-18.04
@@ -25,12 +28,12 @@ jobs:
 
       # Checkout gallery code and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter pub get
 
       # Setup Ruby, Bundler, and Gemfile dependencies
       - name: Setup Fastlane
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@8029ebd6e5bd8f4e0d6f7623ea76a01ec5b1010d
         with:
           ruby-version: "2.6"
           bundler-cache: true

.github/workflows/release_deploy_web.yml

@@ -12,6 +12,9 @@ on:
     tags:
       - "v*"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build-and-deploy:
     runs-on: ubuntu-18.04
@@ -24,14 +27,14 @@ jobs:
       - run: flutter doctor -v
 
       - name: Install web dependencies
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e
         with:
           node-version: "14"
       - run: npm install -g firebase-tools
 
       # Checkout gallery code and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter pub get
 
       # Build and deploy (by default, to staging).

.github/workflows/release_draft_github_release.yml

@@ -7,6 +7,9 @@ on:
     tags:
       - "v*"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   generate-changelog:
     name: Generate changelog
@@ -25,7 +28,7 @@ jobs:
           future_release: ${{ github.ref }}
           since_tag: ${{ steps.get_latest_release.outputs.release }}
       - name: Upload changelog
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2
         with:
           name: changelog
           path: CHANGELOG.md
@@ -38,12 +41,12 @@ jobs:
       upload_url: ${{ steps.create_release.outputs.upload_url }}
     steps:
       - name: Download changelog
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@f023be2c48cc18debc3bacd34cb396e0295e2869
         with:
           name: changelog
       - name: Draft release with changelog
         id: create_release
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e
         env:
           GITHUB_TOKEN: ${{ secrets.FLUTTERGALLERYRELEASEBOT_TOKEN }}
         with:
@@ -101,7 +104,7 @@ jobs:
           sudo apt-get install -y libgtk-3-dev libx11-dev pkg-config cmake ninja-build libblkid-dev
       - name: Install Android dependencies
         if: matrix.target == 'Android'
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@e54a62b3df9364d4b4c1c29c7225e57fe605d7dd
         with:
           java-version: "12.x"
       - name: Enable desktop support
@@ -113,7 +116,7 @@ jobs:
       - run: flutter doctor -v
       # Checkout gallery code, recreate missing files, and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter create .
       - run: flutter pub get
 
@@ -163,7 +166,7 @@ jobs:
       # Upload the build.
       - name: Add packaged build to release draft
         id: upload_release_asset
-        uses: actions/upload-release-asset@v1
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5
         env:
           GITHUB_TOKEN: ${{ secrets.FLUTTERGALLERYRELEASEBOT_TOKEN }}
         with:

.github/workflows/test.yml

@@ -5,6 +5,9 @@ on:
       - main
   pull_request:
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   unit-test:
     name: Unit tests on ${{ matrix.os }}
@@ -22,7 +25,7 @@ jobs:
 
       # Checkout gallery code and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter pub get -v
 
       # Analyze, check formatting, and run unit tests.
@@ -46,7 +49,7 @@ jobs:
 
       # Checkout gallery code and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter pub get -v
 
       - run: flutter test test_benchmarks
@@ -64,13 +67,13 @@ jobs:
 
       # Checkout gallery code and get packages.
       - name: Checkout gallery code
-        uses: actions/checkout@v2
+        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       - run: flutter pub get -v
 
       # Run the golden tests and upload failed test artifacts.
       - run: flutter test test_goldens
       - name: Upload goldens if tests fail
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@34622df80861c3ed63eb2bff892de2f1fbf4c9da
         if: failure()
         with:
           name: goldens