Secure GitHub workflows

2022-09-07 18:14:30 -04:00 · 2022-09-07 18:14:30 -04:00 · 260999f2de
commit 260999f2de
parent f1ba13192b
3 changed files with 15 additions and 15 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -20,6 +20,9 @@ on:
  schedule:
    - cron: '20 19 * * 2'

+permissions:
+  contents: read
+
 jobs:
  analyze:
    name: Analyze
@ -52,12 +55,6 @@ jobs:
        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
        # queries: security-extended,security-and-quality

-        
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

@ -69,4 +66,4 @@ jobs:
    #   ./location_of_script_within_repo/buildscript.sh

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@b398f525a5587552e573b247ac661067fafa920b
--- a/.github/workflows/golangci-lint.yaml
+++ b/.github/workflows/golangci-lint.yaml
@ -5,9 +5,12 @@ jobs:
  golangci-lint:
    name: lint
    runs-on: ubuntu-latest
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018
        with:
          only-new-issues: true
--- a/.github/workflows/unit_tests.yaml
+++ b/.github/workflows/unit_tests.yaml
@ -5,12 +5,12 @@ jobs:
    name: test
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
    - name: Setup go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
      with:
-        go-version: 1.17
-    - uses: actions/cache@v2
+        go-version: 1.19
+    - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
      with:
        path: |
          ~/go/pkg/mod
@ -21,9 +21,9 @@ jobs:
    - name: Run tests
      run: go test -v -covermode=count -coverprofile=coverage.out
    - name: Convert coverage to lcov
-      uses: jandelgado/gcov2lcov-action@v1.0.8
+      uses: jandelgado/gcov2lcov-action@2477d9ec11814a9326e7fdde8d315783d163edb7
    - name: Coveralls
-      uses: coverallsapp/github-action@v1.1.2
+      uses: coverallsapp/github-action@8cbef1dea373ebce56de0a14c68d6267baa10b44
      with:
        github-token: ${{ secrets.github_token }}
        path-to-lcov: coverage.lcov