From 5e2f899aa38282acb0387898f87a322c0413771c Mon Sep 17 00:00:00 2001
From: srinics <srinics@hotmail.com>
Date: Tue, 1 Oct 2024 10:54:23 +0530
Subject: [PATCH] Changes made for openssf fix (#98)

---
 .github/workflows/onmergerelease.yml | 10 ++++++----
 .github/workflows/onpullrequest.yml  |  3 +++
 .github/workflows/security-scans.yml |  9 +++++++--
 3 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/onmergerelease.yml b/.github/workflows/onmergerelease.yml
index 2673dfa..ad76f3c 100644
--- a/.github/workflows/onmergerelease.yml
+++ b/.github/workflows/onmergerelease.yml
@@ -8,6 +8,8 @@ on:
     tags:
       - '**'
 
+permissions: read-all
+
 jobs:
   build-test-scan:
     runs-on: [ ubuntu-20.04 ]
@@ -18,15 +20,15 @@ jobs:
       PYTHONPATH: ${{ github.workspace }}:$PYTHONPATH
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0
-          
+
       - name: Setup Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: '3.8.10'
-
+          
       - name: Install Poetry
         run: pip install poetry==1.7.1
 
diff --git a/.github/workflows/onpullrequest.yml b/.github/workflows/onpullrequest.yml
index 4fcaa53..12f8aa9 100644
--- a/.github/workflows/onpullrequest.yml
+++ b/.github/workflows/onpullrequest.yml
@@ -3,6 +3,9 @@ name: OnPullRequest
 on:
   pull_request:
 
+
+permissions: read-all
+
 jobs:
 
   security-file-check:
diff --git a/.github/workflows/security-scans.yml b/.github/workflows/security-scans.yml
index fecc2f1..af0db4e 100644
--- a/.github/workflows/security-scans.yml
+++ b/.github/workflows/security-scans.yml
@@ -1,12 +1,17 @@
 name: "Security Scans"
 on:
   workflow_dispatch:
+
+permissions: read-all
   
 jobs:
     bandit-scan:
         runs-on: [ self-hosted, taas ]
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+              with:
+                fetch-depth: 0
+
             - name: Bandit Scan
               uses: intel-innersource/frameworks.devops.github.actions.bandit@main
               with:
@@ -17,7 +22,7 @@ jobs:
     Checkmarx:
         runs-on: [ self-hosted, taas ]
         steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
             - name: Scan
               uses: intel-innersource/frameworks.devops.github.actions.checkmarx@main
               with: