From 65673c7ec0f6887b21af0d9122aed9d6edd9f893 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Mon, 25 May 2026 08:05:05 +0200
Subject: [PATCH] harden gihub actions

- restrict all default permissions
- content: read is not necessary for public repos
- security-events: write is needed for CodeQL uploads of SARIF reports
- persist-credentials: false prevents any github token to remain configured in the checked out repo (not necessary when not intending to push from the action)
- enable docker & github actions updates in dependabot
---
 .github/dependabot.yml            | 10 ++++++++++
 .github/workflows/build-image.yml |  6 +++++-
 .github/workflows/rust.yml        |  5 ++++-
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 94f65e9..4fb4d9e 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -10,3 +10,13 @@ updates:
     schedule:
       interval: "weekly"
       day: "saturday"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "saturday"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "saturday"
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
index 5c68500..b114754 100644
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@@ -4,12 +4,16 @@ on:
   push:
     tags: '*'
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v3
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 8ab73a4..3915bdc 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -3,12 +3,15 @@ on:
   push:
     branches: '*'
   pull_request:
+permissions: {}
 jobs:
   check:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Install Rust
       run: |
         rustup toolchain install 1.91 --profile minimal --no-self-update