diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3dbcaf1..c4b860c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -4,6 +4,8 @@ on: branches: [main] pull_request: +permissions: {} + env: RUST_TOOLCHAIN_VERSION: "1.94.0" RUSTFLAGS: "-D warnings" @@ -15,42 +17,40 @@ jobs: name: Run tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + persist-credentials: false + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" - run: cargo test --all-features clippy: name: Check clippy runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: clippy + persist-credentials: false + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component clippy - run: cargo clippy --all-targets -- -D warnings fmt: name: Check formatting runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: rustfmt + persist-credentials: false + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component rustfmt - run: cargo fmt --all -- --check docs: name: Generate docs runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + persist-credentials: false + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" - run: cargo doc --document-private-items build: @@ -65,10 +65,12 @@ jobs: - ubuntu-latest - ubicloud-standard-8-arm steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Build and (optionally) push container image id: build - uses: stackabletech/actions/build-container-image@013e6482fbc0edf2d38cf9220fc931f6a81336fb # v0.0.6 + uses: stackabletech/actions/build-container-image@a14cbd08d9e034e2361ea9205b32aff0491885db # v0.15.0 with: image-name: trino-lb image-index-manifest-tag: dev @@ -76,7 +78,7 @@ jobs: - name: Publish Container Image on oci.stackable.tech if: github.event_name == 'push' && github.ref == 'refs/heads/main' - uses: stackabletech/actions/publish-image@013e6482fbc0edf2d38cf9220fc931f6a81336fb # v0.0.6 + uses: stackabletech/actions/publish-image@a14cbd08d9e034e2361ea9205b32aff0491885db # v0.15.0 with: image-registry-uri: oci.stackable.tech image-registry-username: robot$stackable+github-action-build @@ -95,10 +97,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Publish and Sign Image Index Manifest to oci.stackable.tech - uses: stackabletech/actions/publish-index-manifest@013e6482fbc0edf2d38cf9220fc931f6a81336fb # v0.0.6 + uses: stackabletech/actions/publish-index-manifest@a14cbd08d9e034e2361ea9205b32aff0491885db # v0.15.0 with: image-registry-uri: oci.stackable.tech image-registry-username: robot$stackable+github-action-build diff --git a/.github/workflows/pr_pre-commit.yaml b/.github/workflows/pr_pre-commit.yaml index 87ee7ba..75856ed 100644 --- a/.github/workflows/pr_pre-commit.yaml +++ b/.github/workflows/pr_pre-commit.yaml @@ -4,6 +4,8 @@ name: pre-commit on: pull_request: +permissions: {} + env: CARGO_TERM_COLOR: always RUST_TOOLCHAIN_VERSION: "1.94.0" @@ -13,16 +15,14 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + persist-credentials: false + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: '3.12' - - uses: dtolnay/rust-toolchain@master - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: rustfmt,clippy + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component rustfmt,clippy - name: Setup Hadolint shell: bash run: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7884b58..110f727 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -3,6 +3,8 @@ on: push: tags: ['v[0-9]+.[0-9]+.[0-9]+'] +permissions: {} + env: RUST_TOOLCHAIN_VERSION: "1.94.0" RUSTFLAGS: "-D warnings" @@ -14,42 +16,40 @@ jobs: name: Run tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + persist-credentials: false + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" - run: cargo test --all-features clippy: name: Check clippy runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: clippy + persist-credentials: false + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component clippy - run: cargo clippy --all-targets -- -D warnings fmt: name: Check formatting runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: rustfmt + persist-credentials: false + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --component clippy - run: cargo fmt --all -- --check docs: name: Generate docs runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: dtolnay/rust-toolchain@d8352f6b1d2e870bc5716e7a6d9b65c4cc244a1a + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + persist-credentials: false + - run: rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" - run: cargo doc --document-private-items docker-image: @@ -59,11 +59,13 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - name: Set up Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Login to Stackable Harbor - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: oci.stackable.tech username: robot$stackable+github-action-build