opf · oliverguenther · May 5, 2026 · May 5, 2026 · May 5, 2026 · May 5, 2026
diff --git a/.github/workflows/brakeman-scan-core.yml b/.github/workflows/brakeman-scan-core.yml
@@ -25,10 +25,12 @@ jobs:
       RUBY_GC_HEAP_INIT_SLOTS: 100000
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1
 
       - name: Setup Brakeman
         run: |
@@ -44,6 +46,6 @@ jobs:
             --output output.sarif.json
 
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4
         with:
           sarif_file: output.sarif.json
diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
@@ -19,7 +19,7 @@ jobs:
     steps:
       - name: "CLA Assistant"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.6.1
+        uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
         env:
           # https://github.com/contributor-assistant/github-action?tab=readme-ov-file#environmental-variables
           # Built-in GitHub token to make the API calls for interacting with GitHub. Does not need to be specified the secrets store.

diff --git a/.github/workflows/codeql-scan-core.yml b/.github/workflows/codeql-scan-core.yml
@@ -31,17 +31,19 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4
         with:
           config-file: ./.github/codeql/config.yml
           languages: ${{ matrix.language }}
           # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
           queries: security-extended,security-and-quality
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/create-merge-from-previous-release-branch-pr.yml b/.github/workflows/create-merge-from-previous-release-branch-pr.yml
@@ -59,7 +59,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ env.RELEASE_BRANCH }}
 

diff --git a/.github/workflows/create-merge-release-into-dev-pr.yml b/.github/workflows/create-merge-release-into-dev-pr.yml
@@ -44,7 +44,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ env.BASE_BRANCH }}
 

diff --git a/.github/workflows/crowdin.yml b/.github/workflows/crowdin.yml
@@ -42,11 +42,11 @@ jobs:
           - dev
           - "${{ needs.setup.outputs.latest_release_branch }}"
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ matrix.branch }}
           fetch-depth: 1
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1
         with:
           bundler-cache: true
       - name: "Set crowdin branch name"
@@ -66,7 +66,7 @@ jobs:
             bundle exec script/i18n/generate_seeders_i18n_source_file
           fi
       - name: "Crowdin: upload sources and download translations"
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@8868a33591d21088edfc398968173a3b98d51706 # v2
         with:
           # Upload current source files
           upload_sources: true

diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml
@@ -14,11 +14,15 @@ jobs:
     if: github.repository_owner == 'opf'
     runs-on: [ubuntu-latest]
     timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
-      - uses: ruby/setup-ruby@v1
+          persist-credentials: false
+      - uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1
         with:
           ruby-version: .ruby-version
           bundler-cache: true

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -34,9 +34,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout repository'
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
         # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
         with:
           comment-summary-in-pr: on-failure
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
@@ -10,18 +10,23 @@ on:
         description: "The tag to release. Note that this happens by default on the tag push. Only run this action when something went wrong!"
         required: false
 
+permissions: {}
+
 jobs:
   compute-inputs:
     if: github.repository == 'opf/openproject'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       tag: ${{ steps.compute.outputs.tag }}
       branch: ${{ steps.compute.outputs.branch }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.ref }}
+          persist-credentials: false
       - name: Compute tags and branch
         id: compute
         env:
@@ -47,6 +52,8 @@ jobs:
 
   build:
     needs: [compute-inputs]
+    permissions:
+      contents: read
     uses: ./.github/workflows/docker.yml
     with:
       branch: ${{ needs.compute-inputs.outputs.branch }}

diff --git a/.github/workflows/docker-scheduled.yml b/.github/workflows/docker-scheduled.yml
@@ -6,9 +6,13 @@ on:
     - cron: "20 2 * * *" # Daily at 02:20
   workflow_dispatch: # Allow manual trigger
 
+permissions: {}
+
 jobs:
   build-dev:
     if: github.repository == 'opf/openproject'
+    permissions:
+      contents: read
     uses: ./.github/workflows/docker.yml
     with:
       branch: dev
@@ -20,9 +24,12 @@ jobs:
       OPS_MAIL_SMTP_TOKEN: ${{ secrets.OPS_MAIL_SMTP_TOKEN }}
   build-release-candidate:
     if: github.repository == 'opf/openproject'
+    permissions:
+      contents: read
     # References to release/X.Y and X.Y-rc are being
     # updated from the devkit (UpdateWorkflows step) whenever a new release branch is created
-    uses: opf/openproject/.github/workflows/docker.yml@release/17.4
+    # Ignore unpinned uses as we reference the latest release branch and change it
+    uses: opf/openproject/.github/workflows/docker.yml@release/17.4 # zizmor: ignore[unpinned-uses]
     with:
       branch: release/17.4
       tag: 17.4-rc