pinning dependencies + fix permissions

.github/workflows/CICD.yml

@@ -17,6 +17,9 @@ on:
  # Allow manually triggering the workflow.
  workflow_dispatch:
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
  kill_previous:
  name: 0️⃣ Kill previous runs
@@ -25,7 +28,7 @@ jobs:
  if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository)
  steps:
  - name: Cancel Previous Runs
- uses: styfle/[email protected]
+ uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1
  with:
  access_token: ${{ github.token }}
 
@@ -36,15 +39,15 @@ jobs:
  - kill_previous
  steps:
  - name: Setup PHP Action
- uses: shivammathur/[email protected]
+ uses: shivammathur/setup-php@a4e22b60bbb9c1021113f2860347b0759f66fe5d # 2.30.0
  with:
  php-version: 8.2
 
  - name: Checkout code
- uses: actions/[email protected]
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
  - name: Install dependencies
- uses: ramsey/[email protected]
+ uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
 
  - name: Check source code for syntax errors
  run: vendor/bin/parallel-lint --exclude .git --exclude vendor .
@@ -56,15 +59,15 @@ jobs:
  - php_syntax_errors
  steps:
  - name: Set up PHP
- uses: shivammathur/[email protected]
+ uses: shivammathur/setup-php@a4e22b60bbb9c1021113f2860347b0759f66fe5d # 2.30.0
  with:
  php-version: 8.2
 
  - name: Checkout code
- uses: actions/[email protected]
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
  - name: Install dependencies
- uses: ramsey/[email protected]
+ uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
 
  - name: Check source code for code style errors
  run: PHP_CS_FIXER_IGNORE_ENV=1 vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.php --verbose --diff --dry-run
@@ -76,13 +79,13 @@ jobs:
  - php_syntax_errors
  strategy:
  matrix:
- node-version: [16, 18, 20]
+ node-version: [18, 20]
  steps:
  - name: Checkout code
- uses: actions/[email protected]
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
  - name: Use Node.js ${{ matrix.node-version }}
- uses: actions/[email protected]
+ uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
  with:
  node-version: ${{ matrix.node-version }}
 
@@ -105,16 +108,16 @@ jobs:
  - php_syntax_errors
  steps:
  - name: Checkout code
- uses: actions/[email protected]
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
  - name: Setup PHP
- uses: shivammathur/[email protected]
+ uses: shivammathur/setup-php@a4e22b60bbb9c1021113f2860347b0759f66fe5d # 2.30.0
  with:
  php-version: 8.2
  coverage: none
 
  - name: Install Composer dependencies
- uses: ramsey/[email protected]
+ uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
 
  - name: Run PHPStan
  run: vendor/bin/phpstan analyze
@@ -159,7 +162,7 @@ jobs:
 
  steps:
  - name: Checkout code
- uses: actions/[email protected]
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
  - name: Set Up Imagick, FFmpeg & Exiftools
  run: |
@@ -174,15 +177,15 @@ jobs:
  mysql -uroot -proot -e 'create database homestead_test;'
 
  - name: Setup PHP Action
- uses: shivammathur/[email protected]
+ uses: shivammathur/setup-php@a4e22b60bbb9c1021113f2860347b0759f66fe5d # 2.30.0
  with:
  php-version: ${{ matrix.php-version }}
  extensions: ${{ env.extensions }}
  coverage: xdebug
  tools: pecl, composer
 
  - name: Install Composer dependencies
- uses: ramsey/[email protected]
+ uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
 
  - name: copy Env
  run: |
@@ -201,7 +204,7 @@ jobs:
  run: php artisan migrate:rollback
 
  - name: Codecov
- uses: codecov/[email protected]
+ uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0
  env:
  token: ${{ secrets.CODECOV_TOKEN }}
 
@@ -241,7 +244,7 @@ jobs:
 
  steps:
  - name: Checkout code
- uses: actions/[email protected]
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
  - name: Set Up Imagick, FFmpeg & Exiftools
  run: |
@@ -256,14 +259,14 @@ jobs:
  mysql -uroot -proot -e 'create database homestead_test;'
 
  - name: Setup PHP Action
- uses: shivammathur/[email protected]
+ uses: shivammathur/setup-php@a4e22b60bbb9c1021113f2860347b0759f66fe5d # 2.30.0
  with:
  php-version: ${{ matrix.php-version }}
  extensions: ${{ env.extensions }}
  tools: pecl, composer
 
  - name: Install Composer dependencies
- uses: ramsey/[email protected]
+ uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
  with:
  composer-options: --no-dev
 
@@ -300,22 +303,22 @@ jobs:
 
  steps:
  - name: Checkout code
- uses: actions/[email protected]
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
  - name: Setup PHP
- uses: shivammathur/[email protected]
+ uses: shivammathur/setup-php@a4e22b60bbb9c1021113f2860347b0759f66fe5d # 2.30.0
  with:
  php-version: 8.2
  extensions: ${{ env.extensions }}
  coverage: none
 
  - name: Install Composer dependencies
- uses: ramsey/[email protected]
+ uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
  with:
  composer-options: --no-dev
 
  - name: Use Node.js 20
- uses: actions/[email protected]
+ uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
  with:
  node-version: 20
 
@@ -330,7 +333,7 @@ jobs:
  make clean dist
 
  - name: Upload a Build Artifact
- uses: actions/[email protected]
+ uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
  with:
  name: Lychee-Dist.zip
  path: Lychee.zip

.github/workflows/scorecard.yml

@@ -32,12 +32,12 @@ jobs:
 
  steps:
  - name: "Checkout code"
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  with:
  persist-credentials: false
 
  - name: "Run analysis"
- uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+ uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
  with:
  results_file: results.sarif
  results_format: sarif
@@ -59,14 +59,14 @@ jobs:
  # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
  # format to the repository Actions tab.
  - name: "Upload artifact"
- uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+ uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
  with:
  name: SARIF file
  path: results.sarif
  retention-days: 5
 
  # Upload the results to GitHub's code scanning dashboard.
  - name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+ uses: github/codeql-action/upload-sarif@83a02f7883b12e0e4e1a146174f5e2292a01e601 # v2.16.4
  with:
  sarif_file: results.sarif