Update permissions and unpinned tags

Signed-off-by: Venelin Bakalov <bakalovv@vmware.com>

Author: VenelinBakalov

.github/workflows/build.yml

@@ -1,4 +1,5 @@
 name: Build
+
 on:
   push:
     branches:
@@ -9,6 +10,11 @@ on:
     branches:
       - master
   workflow_dispatch: {}
+
+permissions:
+  actions: write
+  contents: write
+
 jobs:
   build:
     name: Node.js v${{ matrix.node-version }} on ${{ matrix.os }}
@@ -76,7 +82,7 @@ jobs:
         if: runner.os == 'ubuntu-latest'
 
       - name: Publish code coverage report
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@e3f7b8baf8199f0945b1a1a79d355e4f22c53e4f # v1
         if: runner.os == 'ubuntu-latest'
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/draft-release.yml

@@ -1,9 +1,15 @@
 name: Draft Release
+
 on:
   workflow_dispatch:
   push:
     tags:
       - "v*"
+
+permissions:
+  actions: write
+  contents: write
+
 jobs:
   build_release:
     name: Build and Release
@@ -42,7 +48,7 @@ jobs:
         run: "npm pack --workspaces"
 
       - name: Publish code coverage report
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@e3f7b8baf8199f0945b1a1a79d355e4f22c53e4f # v1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           file: "**/coverage/*.json"
@@ -88,7 +94,7 @@ jobs:
 
       - name: Generate release notes
         id: generate_changelog
-        uses: nblagoev/pull-release-notes-action@v1.0.2
+        uses: nblagoev/pull-release-notes-action@f2ccb8e7976e86655c98d5e77b655b31b005dc05 # v1.0.2
         with:
           base-ref: ${{ env.baseRef }}
           head-ref: ${{ github.ref }}

.github/workflows/lint-pr.yml

@@ -1,9 +1,14 @@
 name: Lint Pull Request
+
 on:
   pull_request:
     branches:
       - master
 
+permissions:
+  actions: write
+  contents: read
+
 jobs:
   lint:
     name: eslint
@@ -20,7 +25,7 @@ jobs:
         run: npm install -g npm@8.3.1 # lock to 8.3.1 until actions/setup-node#411 and npm/cli#4341 are fixed
 
       - name: reviewdog
-        uses: reviewdog/action-eslint@v1
+        uses: reviewdog/action-eslint@9b5b0150e399e1f007ee3c27bc156549810a64e3 # v1.33.0
         with:
           reporter: github-pr-review
           eslint_flags: "packages/node/vrdt-common/src/**/*.ts packages/node/vro-language-server/src/**/*.ts extension/src/**/*.ts "

.github/workflows/publish.yml

@@ -1,8 +1,14 @@
 name: Publish Release
+
 on:
   workflow_dispatch:
   release:
     types: [released]
+
+permissions:
+  actions: write
+  contents: read
+
 jobs:
   publish:
     name: Publish to Visual Studio Marketplace and GitHub Packages

.github/workflows/release-drafter.yml

@@ -27,7 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Drafts your next Release notes as Pull Requests are merged into "master"
-      - uses: release-drafter/release-drafter@v6
+      - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6
         with:
           config-name: release-drafter.yml
         env:

.github/workflows/sync-wiki.yml

@@ -6,6 +6,10 @@ on:
     paths:
       - "wiki/**"
 
+permissions:
+  actions: write
+  contents: write
+
 jobs:
   sync:
     runs-on: ubuntu-latest