diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 15edbe6..10fba8d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,5 @@ name: Continuous Integration -on: +on: push: branches: - main @@ -11,15 +11,19 @@ concurrency: env: GOTOOLCHAIN: auto + +permissions: + contents: read + jobs: test-makefile: name: Build and test makefile runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: 'stable' check-latest: true @@ -30,8 +34,8 @@ jobs: sudo apt-get install -y make tar diffutils bzip2 gzip curl git - name: Run make run: make - - name: Upload results to Codecov - uses: codecov/codecov-action@v5 + - name: Upload results to Codecov + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./test/coverage/integration.out,./test/coverage/unit.out @@ -41,15 +45,15 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ ubuntu-latest, ubuntu-24.04-arm] + os: [ ubuntu-latest, ubuntu-24.04-arm ] container: - image: quay.io/fedora/fedora:latest + image: quay.io/fedora/fedora:44 options: --user root steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up GO - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: 'stable' check-latest: true @@ -67,21 +71,24 @@ jobs: runs-on: ubuntu-latest needs: [test-makefile, test-fedora, test-macos, test-windows] if: github.event_name == 'push' && github.ref == 'refs/heads/main' + permissions: + # version-release needs write permissions to push tags; all other permissions are implicitly none + contents: write steps: - name: Github app installation token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3 id: app-token with: app-id: ${{ vars.RELEASE_APP_ID }} private-key: ${{ secrets.RELEASE_APP_PK }} - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 fetch-tags: true token: ${{ steps.app-token.outputs.token }} - name: Semantic Release - uses: cycjimmy/semantic-release-action@v6 + uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6 env: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} @@ -90,10 +97,10 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ macos-latest, macos-26-intel ] + os: [ macos-latest, macos-26-intel ] steps: - name: Check out repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install dependencies run: | brew update @@ -112,8 +119,8 @@ jobs: os: [ windows-latest, windows-11-arm ] steps: - name: Check out repository - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: 'stable' check-latest: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f880dda..52e889d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,28 +7,30 @@ on: permissions: contents: write + env: GOTOOLCHAIN: auto + jobs: goreleaser: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: 'stable' check-latest: true - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v7 + uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7 with: distribution: goreleaser version: v2 args: release --clean env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index bc2c171..649f61e 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -7,24 +7,29 @@ on: branches: [ main ] schedule: - cron: '0 6 * * *' + +permissions: + contents: read + env: GOTOOLCHAIN: auto + jobs: vulnerability-scan: name: Vulnerability Scanning runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: 'stable' check-latest: true - name: Install govulncheck - run: go install golang.org/x/vuln/cmd/govulncheck@latest + run: go install golang.org/x/vuln/cmd/govulncheck@v1.3.0 - name: Run govulncheck run: govulncheck ./... @@ -36,7 +41,7 @@ jobs: actions: read contents: read security-events: write - + strategy: fail-fast: false matrix: @@ -44,24 +49,24 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: 'stable' check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4 with: languages: ${{ matrix.language }} queries: security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4 with: - category: "/language:${{matrix.language}}" \ No newline at end of file + category: "/language:${{matrix.language}}"