diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..9cbb9b7c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + cooldown: + default-days: 7 diff --git a/.github/workflows/check-signed-commits.yml b/.github/workflows/check-signed-commits.yml index 42547210..c4ca5dc8 100644 --- a/.github/workflows/check-signed-commits.yml +++ b/.github/workflows/check-signed-commits.yml @@ -1,13 +1,21 @@ name: Check signed commits in PR on: pull_request_target +permissions: + contents: read + jobs: build: name: Check signed commits in PR permissions: contents: read pull-requests: write - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Check signed commits in PR - uses: 1Password/check-signed-commits-action@main + uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # main diff --git a/.github/workflows/ok-to-test.yml b/.github/workflows/ok-to-test.yml index 136e4fdf..b3bd28aa 100644 --- a/.github/workflows/ok-to-test.yml +++ b/.github/workflows/ok-to-test.yml @@ -5,17 +5,25 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: ok-to-test: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 # required permissions for adding reactions to the pull request comments permissions: pull-requests: write # Only run for PRs, not issue comments if: ${{ github.event.issue.pull_request }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Slash Command Dispatch - uses: peter-evans/slash-command-dispatch@v3 + uses: peter-evans/slash-command-dispatch@f996d7b7aae9059759ac55e978cff76d91853301 # v3.0.2 with: token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} reaction-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 89269365..e67de0d5 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -11,6 +11,9 @@ on: repository_dispatch: types: [ ok-to-test-command ] +permissions: + contents: read + jobs: test-trusted: @@ -22,9 +25,14 @@ jobs: python-version: ["3.10", "3.11", "3.12", "3.13"] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: ${{ matrix.python-version }} - name: Integration Test @@ -46,12 +54,17 @@ jobs: python example/example.py lint: name: Lint - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: '3.x' @@ -83,13 +96,18 @@ jobs: steps: # Check out merge commit + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Fork based /ok-to-test checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{ github.event.client_payload.pull_request.head.sha }} - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: '3.x' @@ -112,7 +130,7 @@ jobs: python example/example.py # Update check run called "integration-fork" on the forked PR - - uses: actions/github-script@v6 + - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 id: update-check-run if: ${{ always() }} env: