ci(.github): pin actions to commit-hash; set permissions at job level

.github/workflows/cd.yml

@@ -22,7 +22,7 @@ jobs:
         steps:
             - name: Release Please
               id: release
-              uses: googleapis/release-please-action@v4
+              uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.2.0
               with:
                   config-file: .github/release-please/config.json
                   manifest-file: .github/release-please/manifest.json
@@ -38,12 +38,12 @@ jobs:
             id-token: write
         steps:
             - name: Check out repo
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   persist-credentials: false
 
             - name: Setup Node
-              uses: actions/setup-node@v4
+              uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
               with:
                   check-latest: true
                   node-version: lts/*
@@ -72,12 +72,12 @@ jobs:
             packages: write
         steps:
             - name: Check out repo
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   persist-credentials: false
 
             - name: Setup Node
-              uses: actions/setup-node@v4
+              uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
               with:
                   check-latest: true
                   node-version: lts/*

.github/workflows/ci.yml

@@ -18,9 +18,6 @@ on:
             - "*.md"
         types: [opened, ready_for_review, reopened, synchronize]
 
-permissions:
-    contents: read
-
 # This allows a subsequently queued workflow run to interrupt previous runs
 concurrency:
     group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
@@ -33,27 +30,31 @@ jobs:
             github.event.pull_request.draft == false &&
             github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        permissions:
+            contents: read
         steps:
             - name: Check out repo
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   persist-credentials: false
 
             - name: Dependency review
-              uses: actions/dependency-review-action@v4
+              uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
 
     lint:
         name: Lint Code
         if: github.event.pull_request.draft == false
         runs-on: ubuntu-latest
+        permissions:
+            contents: read
         steps:
             - name: Check out repo
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   persist-credentials: false
 
             - name: Setup Node
-              uses: actions/setup-node@v4
+              uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
               with:
                   check-latest: true
                   node-version: lts/*
@@ -82,15 +83,17 @@ jobs:
             github.event.pull_request.draft == false &&
             github.actor != 'dependabot[bot]'
         runs-on: ubuntu-latest
+        permissions:
+            contents: read
         steps:
             - name: Check out repo
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   fetch-depth: 0
                   persist-credentials: false
 
             - name: Run Commitlint
-              uses: wagoid/commitlint-github-action@v6
+              uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
               with:
                   configFile: ./package.json
 
@@ -102,14 +105,16 @@ jobs:
                 node-version: [20, 22]
                 os: [macos-latest, ubuntu-latest, windows-latest]
         runs-on: ${{ matrix.os }}
+        permissions:
+            contents: read
         steps:
             - name: Check out repo
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   persist-credentials: false
 
             - name: Setup Node ${{ matrix.node-version }}
-              uses: actions/setup-node@v4
+              uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
               with:
                   node-version: ${{ matrix.node-version }}
 
@@ -120,8 +125,8 @@ jobs:
               run: npm run test:unit:coverage
 
             - name: Coveralls parallel
-              if: github.repository == 'Fdawgs/fastify-disablecache'
-              uses: coverallsapp/github-action@v2
+              if: github.repository == 'Fdawgs/fastify-json-to-xml'
+              uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
               with:
                   github-token: ${{ secrets.GITHUB_TOKEN }}
                   parallel: true
@@ -132,37 +137,30 @@ jobs:
         needs: unit-tests
         if: >
             github.event.pull_request.draft == false &&
-            github.repository == 'Fdawgs/fastify-disablecache'
+            github.repository == 'Fdawgs/fastify-json-to-xml'
         runs-on: ubuntu-latest
+        permissions:
+            contents: read
         steps:
             - name: Coveralls finished
-              uses: coverallsapp/github-action@v2
+              uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
               with:
                   github-token: ${{ secrets.GITHUB_TOKEN }}
                   parallel-finished: true
 
-    # This job is used to save the PR number in an artifact, for use in the automerge.yml workflow
-    save-pr-number:
-        name: Save Dependabot PR Number
+    automerge:
+        name: Automerge Dependabot PRs
         needs: unit-tests
         if: >
             github.event.pull_request.draft == false &&
             github.event_name == 'pull_request' &&
             github.event.pull_request.user.login == 'dependabot[bot]'
         runs-on: ubuntu-latest
+        permissions:
+            pull-requests: write
+            contents: write
         steps:
-            - name: Check out repo
-              uses: actions/checkout@v4
+            - uses: fastify/github-action-merge-dependabot@e820d631adb1d8ab16c3b93e5afe713450884a4a # v3.11.1
               with:
-                  persist-credentials: false
-
-            - name: Save PR number
-              run: |
-                  mkdir -p ./pr
-                  echo ${{ github.event.number }} > ./pr/NR
-
-            - name: Upload PR number in artifact
-              uses: actions/upload-artifact@v4
-              with:
-                  name: pr
-                  path: pr/
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  merge-method: squash

.github/workflows/codeql.yml

@@ -16,30 +16,36 @@ on:
             - "**/*.yml"
         types: [opened, ready_for_review, reopened, synchronize]
 
-permissions:
-    security-events: write
-
 # This allows a subsequently queued workflow run to interrupt previous runs
 concurrency:
     group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
     cancel-in-progress: true
 
 jobs:
     build:
+        name: CodeQL Analysis
         if: github.event.pull_request.draft == false
+        strategy:
+            matrix:
+                languages: ["actions", "javascript-typescript"]
         runs-on: ubuntu-latest
+        permissions:
+            contents: read
+            security-events: write
         steps:
             - name: Check out repo
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   persist-credentials: false
 
             # Initialises the CodeQL tools for scanning
             - name: Initialise CodeQL
-              uses: github/codeql-action/init@v3
+              uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
               with:
-                  languages: javascript
                   config-file: ./.github/codeql-config.yml
+                  languages: ${{ matrix.languages }}
 
             - name: Perform CodeQL analysis
-              uses: github/codeql-action/analyze@v3
+              uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+              with:
+                  category: "/language:${{matrix.language}}"

.github/workflows/link-check.yml

@@ -31,22 +31,21 @@ on:
     # Allows this workflow to be run manually from the Actions tab
     workflow_dispatch:
 
-permissions:
-    contents: read
-
 jobs:
     link-check:
         name: Link Check
         if: github.event.pull_request.draft == false
         runs-on: ubuntu-latest
+        permissions:
+            contents: read
         steps:
             - name: Check out repo
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   persist-credentials: false
 
             - name: Run Linkinator
-              uses: JustinBeckwith/linkinator-action@v1
+              uses: JustinBeckwith/linkinator-action@3d5ba091319fa7b0ac14703761eebb7d100e6f6d # v1.11.0
               with:
                   paths: "**/*.md"
                   skip: "https://(?:www.|)github.com/Fdawgs/.*/(?:commit|issues|compare)/, http://0.0.0.0"