From a7fde9d1ba26574fe1a067b15ebf0714de085946 Mon Sep 17 00:00:00 2001
From: Step Security <bot@stepsecurity.io>
Date: Mon, 15 Aug 2022 22:53:12 +0000
Subject: [PATCH] [StepSecurity] Remediate token permission, and unpinned
 dependencies security issues in .github/workflows/release.yml

---
 .github/workflows/release.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c6d445f..069d2af 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,9 @@ defaults:
   run:
     shell: pwsh
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   update_tag:
     name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} changes
@@ -28,7 +31,7 @@ jobs:
           api.github.com:443
           github.com:443
 
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
     - name: Update the rc tag
       uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
       with:
@@ -36,7 +39,7 @@ jobs:
         rc: true
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int@sha256:a0e71f0f02a1298be8e34914f4d28df8e43275e63921faa4ee629822b376bd02 # latest
       env:
         PAT: ${{ secrets.PAT }}
         canary: true