Merge pull request #316 from cucumber/reduce-actions-permissions

Reduce GitHub Action permissions

Author: mpkorstanje

.github/workflows/format.yml

@@ -1,5 +1,7 @@
 name: check format
 
+permissions: {}
+
 on:
   pull_request:
     branches: [ main ]
@@ -18,6 +20,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
 
     - name: setup environment
       run: |

.github/workflows/linux-build.yml

@@ -1,5 +1,7 @@
 name: Linux build
 
+permissions: {}
+
 on:
   pull_request:
     branches: [ main ]
@@ -28,6 +30,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
 
     - name: setup environment
       run: |

.github/workflows/qt5.yml

@@ -1,5 +1,7 @@
 name: build and test with Qt5
 
+permissions: {}
+
 on:
   pull_request:
     branches: [ main ]
@@ -18,6 +20,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
 
     - name: setup environment
       run: |

.github/workflows/run-all.yml

@@ -1,5 +1,7 @@
 name: run all
 
+permissions: {}
+
 on:
   pull_request:
     branches: [ main ]
@@ -61,7 +63,7 @@ jobs:
         ./run-linux.sh
 
     - name: code coverage summary report
-      uses: irongut/CodeCoverageSummary@v1.3.0
+      uses: irongut/CodeCoverageSummary@51cc3a756ddcd398d447c044c02cb6aa83fdae95 #v1.3.0
       with:
         filename: coverage/cobertura.xml
         indicators: false

.github/workflows/windows-build.yml

@@ -1,5 +1,7 @@
 name: Windows build
 
+permissions: {}
+
 on:
   pull_request:
     branches: [ main ]
@@ -51,7 +53,7 @@ jobs:
 
     - name: Restore cached boost dependencies
       id: cache-boost-deps
-      uses: actions/cache@v3
+      uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c #v3.5.0
       with:
         path: |
           boost_1_82_0