ci: Apply CodeQL workflow fixes

.github/workflows/deploy-package.yml

@@ -26,6 +26,10 @@ concurrency:
   group: ${{ inputs.environment }}
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/deploy-website.yml

@@ -8,6 +8,9 @@
 env:
   JEKYLL_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     name: Cloudflare Pages
@@ -28,7 +31,7 @@
         uses: actions/checkout@v4
 
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@v1.207.0
         with:
           ruby-version: 3.3
 
@@ -40,7 +43,7 @@
         run: echo "version=$(date +'%Y.%m.%d')-${{ github.run_number }}" >> $GITHUB_OUTPUT
 
       - name: Replace cache markers
-        uses: jacobtomlinson/gha-find-replace@v3
+        uses: jacobtomlinson/gha-find-replace@f1069b438f125e5395d84d1c6fd3b559a7880cb5
         with:
           find: "YYYY.MM.DD"
           replace: "${{ steps.tag.outputs.version }}"
@@ -60,7 +63,7 @@
 
       - name: Publish to Cloudflare Pages
         id: deploy
-        uses: cloudflare/wrangler-action@v3
+        uses: cloudflare/wrangler-action@v3.1.0
         with:
           apiToken: ${{ secrets.CLOUDFLARE_API_KEY }}
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

.github/workflows/lint-pull-request.yml

@@ -16,7 +16,7 @@
     runs-on: ubuntu-latest
 
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@v5.1.0
         id: lint_pr_title
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -29,7 +29,7 @@
             bot
             dependencies
 
-      - uses: marocchino/sticky-pull-request-comment@v2
+      - uses: marocchino/sticky-pull-request-comment@v2.1.0
         if: always() && (steps.lint_pr_title.outputs.error_message != null)
         with:
           header: pr-title-lint-error
@@ -60,25 +60,25 @@
             - `style: Format trading strategy classes`
             - `refactor: Restructure trading engine components`
             - `perf: Optimize trade order execution flow`
-            
+
             #### Documentation & testing
             - `docs: Update API documentation`
             - `test: Add unit tests for sign-in flow`
-            
+
             #### Infrastructure
             - `build: Update .NET SDK version to 8.0`
             - `ci: Add workflow for performance testing`
             - `chore: Update NuGet dependencies`
-            
+
             #### Other
             - `revert: Remove faulty market data provider`
-            
+
             See [Conventional Commits](https://www.conventionalcommits.org) for more details.
             </details>
 
       # Delete a previous comment when the issue has been resolved
       - if: ${{ steps.lint_pr_title.outputs.error_message == null }}
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@v2.1.0
         with:
           header: pr-title-lint-error
           delete: true

.github/workflows/lock-issues-pr.yml

@@ -19,7 +19,7 @@
     timeout-minutes: 10
 
     steps:
-      - uses: dessant/lock-threads@v5
+      - uses: dessant/lock-threads@v5.0.1
         with:
           process-only: issues, prs
           issue-inactive-days: "90"

.github/workflows/test-examples.yml

@@ -12,6 +12,9 @@ on:
       - docs/examples/**
       - ".github/workflows/test-examples.yml"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: build

.github/workflows/test-indicators.yml

@@ -7,6 +7,11 @@ on:
     branches: ["*"]
   workflow_dispatch:
 
+permissions:
+  contents: read   # Required for checkout
+  actions: read    # Required for workflow runs
+  checks: write    # Required for test results
+
 jobs:
   test:
     name: unit tests

.github/workflows/test-performance.yml

@@ -5,6 +5,9 @@ concurrency:
 
 on: workflow_dispatch
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     runs-on: ubuntu-22.04

.github/workflows/test-website-a11y.yml

@@ -12,6 +12,9 @@
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -27,7 +30,7 @@
         uses: actions/checkout@v4
 
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@v1.207.0
         with:
           ruby-version: 3.3
 
@@ -37,7 +40,7 @@
           npm install -g pa11y-ci
 
       - name: Use 'localhost'
-        uses: jacobtomlinson/gha-find-replace@v3
+        uses: jacobtomlinson/gha-find-replace@f1069b438f125e5395d84d1c6fd3b559a7880cb5
         with:
           find: "https://dotnet.stockindicators.dev"
           replace: "http://127.0.0.1:4000"

.github/workflows/test-website-links.yml

@@ -12,6 +12,9 @@
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -27,7 +30,7 @@
         uses: actions/checkout@v4
 
       - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@v1.207.0
         with:
           ruby-version: 3.3
 
@@ -37,14 +40,14 @@
           gem install html-proofer
 
       - name: Replace "data-src"
-        uses: jacobtomlinson/gha-find-replace@v3
+        uses: jacobtomlinson/gha-find-replace@f1069b438f125e5395d84d1c6fd3b559a7880cb5
         with:
           find: "data-src"
           replace: "src"
           regex: false
 
       - name: Use 'localhost'
-        uses: jacobtomlinson/gha-find-replace@v3
+        uses: jacobtomlinson/gha-find-replace@f1069b438f125e5395d84d1c6fd3b559a7880cb5
         with:
           find: "https://dotnet.stockindicators.dev"
           replace: "http://127.0.0.1:4000"