Improved overall security for github actions

.github/workflows/android-native-build.yml

@@ -1,4 +1,6 @@
 name: Android Native build
+permissions:
+  contents: read
 
 on:
   workflow_dispatch:
@@ -15,7 +17,7 @@ jobs:
           ref: ${{ github.head_ref }}
 
       - name: Install Android NDK
-        uses: nttld/setup-ndk@v1.4.2
+        uses: nttld/setup-ndk@afb4c9964b521afb97c864b7d40b11e6911bd410
         with:
           ndk-version: r25c
 

.github/workflows/build-all.yml

@@ -2,6 +2,9 @@
 # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net
 
 name: CI (Native + dotnet)
+permissions:
+  contents: read
+  checks: write
 
 on:
    push:
@@ -14,9 +17,6 @@ on:
             description: 'Enable GPU libraries build and publish'
             required: true
             default: 'false'
-permissions:
-  contents: read
-  checks: write
 
 jobs:
    android:

.github/workflows/dotnet-maui.yml

@@ -2,6 +2,8 @@
 # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net
 
 name: Dotnet Maui Build and Test
+permissions:
+  contents: read
 
 on:
   workflow_call:
@@ -23,7 +25,7 @@ jobs:
           dotnet-version: |
             9.0.x
 
-      - uses: maxim-lobanov/setup-xcode@v1
+      - uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd
         with:
           xcode-version: '16.2'
 
@@ -89,7 +91,7 @@ jobs:
         run: dotnet tool install Microsoft.DotNet.XHarness.CLI --global --add-source https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json --version "10.0.0-*"
 
       - name: run android tests
-        uses: reactivecircus/android-emulator-runner@v2
+        uses: reactivecircus/android-emulator-runner@62dbb605bba737720e10b196cb4220d374026a6d
         with:
           api-level: 29
           arch: x86_64
@@ -119,7 +121,7 @@ jobs:
           dotnet-version: |
             8.0.x
             
-      - uses: maxim-lobanov/setup-xcode@v1
+      - uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd
         with:
           xcode-version: '16.2'
 

.github/workflows/dotnet.yml

@@ -3,13 +3,14 @@
 
 name: Dotnet Build and Test
 
-on:
-  workflow_call:
-
 permissions:
   contents: read
   checks: write
 
+on:
+  workflow_call:
+
+
 env:
   HF_TOKEN: ${{ secrets.HF_TOKEN }}
 
@@ -45,7 +46,7 @@ jobs:
           dotnet test ./Whisper.net.sln --no-build  --logger "trx"
           
       - name: Test Reporter
-        uses: dorny/test-reporter@v1.9.1
+        uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
         if: success() || failure()    # run this step even if previous step failed
         with:
           name: Whisper.net MacOs Test Results
@@ -91,7 +92,7 @@ jobs:
           dotnet test ./Whisper.net.sln --no-build --logger "trx"
           
       - name: Test Reporter
-        uses: dorny/test-reporter@v1.9.1
+        uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
         if: success() || failure()    # run this step even if previous step failed
         with:
           name: Whisper.net Windows Test Results
@@ -137,7 +138,7 @@ jobs:
           dotnet test ./Whisper.net.sln --no-build --logger "trx"
                         
       - name: Test Reporter
-        uses: dorny/test-reporter@v1.9.1
+        uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
         if: success() || failure()    # run this step even if previous step failed
         with:
           name: Whisper.net Linux Test Results

.github/workflows/linux-cuda-native-build.yml

@@ -1,5 +1,8 @@
 name: Linux Cuda Native build
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:
@@ -21,7 +24,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y gcc-arm-linux-gnueabihf && sudo apt-get install -y g++-arm-linux-gnueabihf
 
       - name: Install CUDA Toolkit
-        uses: Jimver/cuda-toolkit@v0.2.18
+        uses: Jimver/cuda-toolkit@8022558310ea543e35132143092835585f60e628
         with:
           cuda: "12.1.0"
 

.github/workflows/linux-native-build.yml

@@ -1,5 +1,8 @@
 name: Linux Native build
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:

.github/workflows/linux-noavx-native-build.yml

@@ -1,5 +1,8 @@
 name: Linux Native build Without AVX
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:

.github/workflows/linux-openvino-native-build.yml

@@ -1,5 +1,8 @@
 name: Linux OpenVino native build
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:

.github/workflows/linux-vulkan-native-build.yml

@@ -1,5 +1,8 @@
 name: Linux Vulkan native build
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:
@@ -21,7 +24,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y gcc-arm-linux-gnueabihf && sudo apt-get install -y g++-arm-linux-gnueabihf
 
       - name: Install Vulkan SDK
-        uses: jakoch/install-vulkan-sdk-action@v1.0.4
+        uses: jakoch/install-vulkan-sdk-action@40216eed6cafc7df0be5eb80620a9f0e7c7104f9
         with:
           vulkan_version: 1.3.290.0
           optional_components: com.lunarg.vulkan.vma

.github/workflows/macos-coreml-native-build.yml

@@ -1,5 +1,8 @@
 name: MacOs CoreML Native build
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:

.github/workflows/macos-native-build.yml

@@ -1,5 +1,8 @@
 name: MacOs Native build
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:

.github/workflows/pack-all.yml

@@ -3,6 +3,9 @@
 
 name: Pack All
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
      inputs:

.github/workflows/push-all.yml

@@ -3,12 +3,12 @@
 
 name: Push Nuget Packages to nuget.org
 
-on:
-  workflow_call:
-
 permissions:
   contents: write
 
+on:
+  workflow_call:
+
 jobs:
   push-nupkgs:
     runs-on: windows-latest

.github/workflows/release.yml

@@ -3,6 +3,8 @@
 
 name: CD (Native + dotnet)
 
+permissions:
+    contents: write
 on:
    workflow_dispatch:
       inputs:

.github/workflows/wasm-native-build.yml

@@ -1,5 +1,8 @@
 name: Wasm Native build
 
+permissions:
+    contents: read
+
 on:
   workflow_dispatch:
   workflow_call:
@@ -15,7 +18,7 @@ jobs:
           ref: ${{ github.head_ref }}
 
       - name: Install Emscripten
-        uses: mymindstorm/setup-emsdk@v13
+        uses: mymindstorm/setup-emsdk@6ab9eb1bda2574c4ddb79809fc9247783eaf9021
 
       - name: Run wasm build
         run: make wasm

.github/workflows/windows-cuda-native-build.yml

@@ -1,5 +1,8 @@
 name: Windows Cuda native build
 
+permissions:
+    contents: read
+
 on:
   workflow_dispatch:
   workflow_call:
@@ -16,14 +19,14 @@ jobs:
           ref: ${{ github.head_ref }}
 
       - name: Add msbuild to PATH
-        uses: microsoft/setup-msbuild@v2
+        uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce
 
       - name: Install OpenCl with vcpkg
         run: |
           vcpkg --triplet=x64-windows install opencl
 
       - name: Install CUDA Toolkit
-        uses: Jimver/cuda-toolkit@v0.2.18
+        uses: Jimver/cuda-toolkit@8022558310ea543e35132143092835585f60e628
         with:
           cuda: "12.1.0"
 

.github/workflows/windows-native-build.yml

@@ -1,5 +1,8 @@
 name: Windows native build
 
+permissions:
+    contents: read
+
 on:
   workflow_dispatch:
   workflow_call:

.github/workflows/windows-noavx-native-build.yml

@@ -1,5 +1,8 @@
 name: Windows native build Without AVX
 
+permissions:
+    contents: read
+
 on:
   workflow_dispatch:
   workflow_call:

.github/workflows/windows-openvino-native-build.yml

@@ -1,5 +1,8 @@
 name: Windows OpenVino native build
 
+permissions:
+    contents: read
+
 on:
   workflow_dispatch:
   workflow_call:
@@ -15,7 +18,7 @@ jobs:
           ref: ${{ github.head_ref }}
 
       - name: Add msbuild to PATH
-        uses: microsoft/setup-msbuild@v2
+        uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce
 
       - name: Run Build
         run: |

.github/workflows/windows-vulkan-native-build.yml

@@ -1,5 +1,8 @@
 name: Windows Vulkan native build
 
+permissions:
+    contents: read
+
 on:
   workflow_dispatch:
   workflow_call:
@@ -15,10 +18,10 @@ jobs:
           ref: ${{ github.head_ref }}
 
       - name: Add msbuild to PATH
-        uses: microsoft/setup-msbuild@v2
+        uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce
 
       - name: Install Vulkan SDK
-        uses: jakoch/install-vulkan-sdk-action@v1.0.4
+        uses: jakoch/install-vulkan-sdk-action@40216eed6cafc7df0be5eb80620a9f0e7c7104f9
         with:
           vulkan_version: 1.3.290.0
           optional_components: com.lunarg.vulkan.vma

Whisper.net.sln

@@ -25,6 +25,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "github", "github", "{5C8656
 		.github\workflows\linux-native-build.yml = .github\workflows\linux-native-build.yml
 		.github\workflows\linux-noavx-native-build.yml = .github\workflows\linux-noavx-native-build.yml
 		.github\workflows\linux-openvino-native-build.yml = .github\workflows\linux-openvino-native-build.yml
+		.github\workflows\linux-vulkan-native-build.yml = .github\workflows\linux-vulkan-native-build.yml
 		.github\workflows\macos-coreml-native-build.yml = .github\workflows\macos-coreml-native-build.yml
 		.github\workflows\macos-native-build.yml = .github\workflows\macos-native-build.yml
 		.github\workflows\pack-all.yml = .github\workflows\pack-all.yml