Mitigate security vulnerabilities in CI. (#943)

Kichura · web-flow · commit a41b2d4c9b62 · 2025-11-22T21:44:08.000+01:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,10 +1,14 @@
 version: 2
 updates:
   - package-ecosystem: "gradle"
+    cooldown:
+      default-days: 7
     directory: "/"
     schedule:
       interval: "daily"
   - package-ecosystem: "github-actions"
+    cooldown:
+      default-days: 7
     directory: "/"
     schedule:
       interval: "weekly"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,26 +1,28 @@
 name: Build
-on: [ pull_request, push, workflow_dispatch ]
+on: [pull_request, push, workflow_dispatch]
+permissions:
+  contents: read
 
 jobs:
   build:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
         with:
           persist-credentials: false
       - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@v5
+        uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # 5.0.0
       - name: Set up JDK 21
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # 5.0.0
         with:
           distribution: 'temurin'
           java-version: 21
           check-latest: true
       - name: Build with Gradle
         run: ./gradlew build
       - name: Upload Artifacts to GitHub
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # 5.0.0
         with:
           name: Artifacts
-          path: build/libs/
+          path: build/libs/
diff --git a/.github/workflows/sync-crowdin.yml b/.github/workflows/sync-crowdin.yml
@@ -4,16 +4,20 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   synchronize-with-crowdin:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-24.04-arm
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # 6.0.0
         with:
           persist-credentials: false
       - name: Crowdin Sync
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@08713f00a50548bfe39b37e8f44afb53e7a802d4 # 2.12.0
         with:
           config: .github/crowdin.yml
           upload_sources: true
@@ -27,4 +31,4 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
-          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
