From 08e1620a9ef64965ce10395cb87cf8e81f1d54b6 Mon Sep 17 00:00:00 2001
From: Dhaval Gojiya <dhavalgojiya10@gmail.com>
Date: Mon, 18 May 2026 20:07:22 +0530
Subject: [PATCH] chore(ci): fix CI pipeline security issues reported by zizmor

---
 .github/workflows/pr-for-official-repo.yml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pr-for-official-repo.yml b/.github/workflows/pr-for-official-repo.yml
index d3e74a5..352d1fd 100644
--- a/.github/workflows/pr-for-official-repo.yml
+++ b/.github/workflows/pr-for-official-repo.yml
@@ -8,6 +8,9 @@ on:
       - 'generate-stackbrew-library.sh'
       - '[0-9]+.[0-9]+*/**'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     # Only run this job for the apache repo, not on any forks
@@ -19,30 +22,37 @@ jobs:
 
     steps:
       # Setup
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # This is required for stackbrew to know which commit a dockerfile belongs to
           fetch-depth: 0
+          persist-credentials: false
+
       - name: Checkout official-images fork
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: docker-library/official-images
           path: official-images
+          persist-credentials: false
+
       - name: check headcommit message
         id: commit
         run: |
           message="$(jq '.head_commit.message' $GITHUB_EVENT_PATH | sed -E 's/^#/ #/g' | sed -E 's/(#[0-9]+)$/\1 /g' | sed -E 's/([^a-zA-Z])(#[0-9]+[^0-9])/\1apache\/solr-docker\2/g' | tr -d \")"  # get the message, substituting the github links
           echo ::set-output name=title::${message%%\\n*}   # get the title
+
       - name: Install BashBrew
         run: |
           mkdir -p "${HOME}/.local/bin"
           wget -nv --output-document="${HOME}/.local/bin/bashbrew" https://github.com/docker-library/bashbrew/releases/download/v0.1.12/bashbrew-amd64
           chmod a+x "${HOME}/.local/bin/bashbrew"
           echo "${HOME}/.local/bin" >> $GITHUB_PATH
+
       - name: Generate new Solr manifest
         run: ./generate-stackbrew-library.sh > official-images/library/solr
+
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           path: official-images
           push-to-fork: docker-solr/official-images