From 55111d5661ac234ff7826b8ea13524e37ec2059a Mon Sep 17 00:00:00 2001
From: Michael Howitz <icemac@gmx.net>
Date: Tue, 28 Jan 2025 08:19:06 +0100
Subject: [PATCH] Secure workflows as suggested by Code scanning alerts of
 RestrictedPython. (#298)

---
 .github/workflows/pre-commit.yml        | 7 +++++--
 .github/workflows/tests.yml             | 3 +++
 .meta.toml                              | 2 +-
 src/zope/meta/default/pre-commit.yml.j2 | 7 +++++--
 src/zope/meta/default/tests.yml.j2      | 3 +++
 5 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 371ca94..ff77ae6 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -15,6 +15,9 @@ env:
 
 jobs:
   pre-commit:
+    permissions:
+      contents: read
+      pull-requests: write
     name: linting
     runs-on: ubuntu-latest
     steps:
@@ -22,12 +25,12 @@ jobs:
     - uses: actions/setup-python@v5
       with:
         python-version: 3.x
-    - uses: pre-commit/action@v3.0.1
+    - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  #v3.0.1
       with:
         extra_args: --all-files --show-diff-on-failure
       env:
         PRE_COMMIT_COLOR: always
-    - uses: pre-commit-ci/lite-action@v1.1.0
+    - uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43  #v1.1.0
       if: always()
       with:
         msg: Apply pre-commit code formatting
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 9bf8b91..275490a 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -12,6 +12,9 @@ on:
 
 jobs:
   build:
+    permissions:
+      contents: read
+      pull-requests: write
     strategy:
       # We want to see all failures:
       fail-fast: false
diff --git a/.meta.toml b/.meta.toml
index 713658e..bb592ae 100644
--- a/.meta.toml
+++ b/.meta.toml
@@ -2,7 +2,7 @@
 # https://github.com/zopefoundation/meta/tree/master/config/pure-python
 [meta]
 template = "pure-python"
-commit-id = "09c35441"
+commit-id = "c95980ef"
 
 [python]
 with-windows = false
diff --git a/src/zope/meta/default/pre-commit.yml.j2 b/src/zope/meta/default/pre-commit.yml.j2
index 4d3554d..a5f2072 100644
--- a/src/zope/meta/default/pre-commit.yml.j2
+++ b/src/zope/meta/default/pre-commit.yml.j2
@@ -13,6 +13,9 @@ env:
 
 jobs:
   pre-commit:
+    permissions:
+      contents: read
+      pull-requests: write
     name: linting
     runs-on: ubuntu-latest
     steps:
@@ -20,12 +23,12 @@ jobs:
     - uses: actions/setup-python@v5
       with:
         python-version: 3.x
-    - uses: pre-commit/action@v3.0.1
+    - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  #v3.0.1
       with:
         extra_args: --all-files --show-diff-on-failure
       env:
         PRE_COMMIT_COLOR: always
-    - uses: pre-commit-ci/lite-action@v1.1.0
+    - uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43  #v1.1.0
       if: always()
       with:
         msg: Apply pre-commit code formatting
diff --git a/src/zope/meta/default/tests.yml.j2 b/src/zope/meta/default/tests.yml.j2
index 22e600b..40cf253 100644
--- a/src/zope/meta/default/tests.yml.j2
+++ b/src/zope/meta/default/tests.yml.j2
@@ -15,6 +15,9 @@ on:
 
 jobs:
   build:
+    permissions:
+      contents: read
+      pull-requests: write
 {% if gha_services %}
     services:
 {% for line in gha_services %}