From 260999f2decb8da1fe5292c852b4c307d6b94624 Mon Sep 17 00:00:00 2001 From: Julien Laffaye Date: Wed, 7 Sep 2022 18:14:30 -0400 Subject: [PATCH] Secure GitHub workflows --- .github/workflows/codeql-analysis.yml | 11 ++++------- .github/workflows/golangci-lint.yaml | 7 +++++-- .github/workflows/unit_tests.yaml | 12 ++++++------ 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 5dfabbc..c5f8e91 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,6 +20,9 @@ on: schedule: - cron: '20 19 * * 2' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -52,12 +55,6 @@ jobs: # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -69,4 +66,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@b398f525a5587552e573b247ac661067fafa920b diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml index 45cf1fe..3beffad 100644 --- a/.github/workflows/golangci-lint.yaml +++ b/.github/workflows/golangci-lint.yaml @@ -5,9 +5,12 @@ jobs: golangci-lint: name: lint runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e - name: golangci-lint - uses: golangci/golangci-lint-action@v2 + uses: golangci/golangci-lint-action@5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018 with: only-new-issues: true diff --git a/.github/workflows/unit_tests.yaml b/.github/workflows/unit_tests.yaml index 48b2ade..ea2ce8c 100644 --- a/.github/workflows/unit_tests.yaml +++ b/.github/workflows/unit_tests.yaml @@ -5,12 +5,12 @@ jobs: name: test runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 - name: Setup go - uses: actions/setup-go@v2 + uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 with: - go-version: 1.17 - - uses: actions/cache@v2 + go-version: 1.19 + - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed with: path: | ~/go/pkg/mod @@ -21,9 +21,9 @@ jobs: - name: Run tests run: go test -v -covermode=count -coverprofile=coverage.out - name: Convert coverage to lcov - uses: jandelgado/gcov2lcov-action@v1.0.8 + uses: jandelgado/gcov2lcov-action@2477d9ec11814a9326e7fdde8d315783d163edb7 - name: Coveralls - uses: coverallsapp/github-action@v1.1.2 + uses: coverallsapp/github-action@8cbef1dea373ebce56de0a14c68d6267baa10b44 with: github-token: ${{ secrets.github_token }} path-to-lcov: coverage.lcov