From d7583b0e18ca6bed6759ca881c91cfc4ddcbb8ba Mon Sep 17 00:00:00 2001
From: "Andy (Steve) De George" <67293991+adegeo@users.noreply.github.com>
Date: Mon, 29 Jul 2024 10:49:02 -0700
Subject: [PATCH] Security changes to match dotnet=docs (#1869)

---
 .../workflows/check-for-build-warnings.yml    | 20 ++++++++++++-------
 .github/workflows/live-protection.yml         |  5 ++++-
 .github/workflows/rebase-needed.yml           |  2 +-
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/check-for-build-warnings.yml b/.github/workflows/check-for-build-warnings.yml
index 7e4d8fb61a..cb87db2a6c 100644
--- a/.github/workflows/check-for-build-warnings.yml
+++ b/.github/workflows/check-for-build-warnings.yml
@@ -1,22 +1,28 @@
 name: 'OPS status checker'
 
 on: 
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   status_checker_job:
     name: Look for build warnings
     runs-on: ubuntu-latest
     permissions:
-        statuses: write
-        issues: write
-        pull-requests: write
+        statuses: read
+        pull-requests: read
     steps:
-    - uses: actions/checkout@v3
-    - uses: dotnet/docs-tools/actions/status-checker@main
+    - name: Harden Runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+
+    - uses: dotnet/docs-tools/actions/status-checker@5e8bcc78465d45a7544bba56509a1a69922b6a5a # main
       with:
         repo_token: ${{ secrets.GITHUB_TOKEN }}
         docs_path: "dotnet-desktop-guide"
         url_base_path: "dotnet/desktop"
-        opaque_leading_url_segments: "framework:view=netframeworkdesktop-4.8,net:view=netdesktop-7.0"
+        opaque_leading_url_segments: "framework:view=netframeworkdesktop-4.8,net:view=netdesktop-7.0,net:view=netdesktop-8.0"
diff --git a/.github/workflows/live-protection.yml b/.github/workflows/live-protection.yml
index 9424e933a6..31643fb680 100644
--- a/.github/workflows/live-protection.yml
+++ b/.github/workflows/live-protection.yml
@@ -1,4 +1,7 @@
-on: [pull_request_target]
+on: [pull_request]
+
+permissions:
+  contents: read
 
 jobs:
   comment:
diff --git a/.github/workflows/rebase-needed.yml b/.github/workflows/rebase-needed.yml
index 831d396cb8..45617d23e4 100644
--- a/.github/workflows/rebase-needed.yml
+++ b/.github/workflows/rebase-needed.yml
@@ -2,7 +2,7 @@ name: "rebase required"
 
 on:
   push:
-  pull_request_target:
+  pull_request:
     types: [synchronize]
 
 jobs: