Securing release workflow wip

.github/workflows/docker-release.yml

@@ -7,6 +7,10 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   publishDocker:
     environment: dockerhub

.github/workflows/go.yml

@@ -22,10 +22,6 @@ jobs:
     - name: Get dependencies
       run: |
         go get -v -t -d ./...
-        if [ -f Gopkg.toml ]; then
-            curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
-            dep ensure
-        fi
 
     - name: Check the build
       shell: bash -l {0}

.github/workflows/release.yml

@@ -41,18 +41,18 @@ jobs:
             man.md
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
 
       - name: Cross compile
         run: |
           sudo apt-get install rhash -y
-          go install github.com/goreleaser/goreleaser/v2@latest
+          go install github.com/goreleaser/goreleaser/v2@v2.15.2
           ./scripts/xcompile.sh
 
       - name: Sign checksums
         run: |
-          cosign sign-blob --yes --output-bundle build/checksums.bundle build/checksums
-          cosign sign-blob --yes --output-bundle build/checksums-bsd.bundle build/checksums-bsd
+          cosign sign-blob --yes --bundle build/checksums.bundle build/checksums
+          cosign sign-blob --yes --bundle build/checksums-bsd.bundle build/checksums-bsd
 
       - name: Release
         uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2

.github/workflows/snap-release.yml

@@ -7,6 +7,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
     buildSnap:
       environment: snap