From dd5459eece66ca7292ae0b0aad032028775f8142 Mon Sep 17 00:00:00 2001
From: probonopd <probonopd@users.noreply.github.com>
Date: Sat, 27 Jul 2024 11:53:20 +0200
Subject: [PATCH] Restrict permissions and pin "uses:"

---
 .github/workflows/pr-comment.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pr-comment.yml b/.github/workflows/pr-comment.yml
index 74b0c0f..863a6d8 100644
--- a/.github/workflows/pr-comment.yml
+++ b/.github/workflows/pr-comment.yml
@@ -12,10 +12,16 @@ jobs:
     name: Add artifact links to PR and issues
     runs-on: ubuntu-22.04
 
+    # Restrict permissions for the GITHUB_TOKEN, https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+    permissions:
+      issues: write
+      pull-requests: write
+      actions: read
+      
     steps:
     - name: Add artifact links to PR and issues
       if: github.event.workflow_run.event == 'pull_request'
-      uses: tonyhallett/artifacts-url-comments@v1.1.0
+      uses: tonyhallett/artifacts-url-comments@0965ff1a7ae03c5c1644d3c30f956effea4e05ef # v1.1.0
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with: