From 9301004d555be67529092e5402fa4690e1d3f8d8 Mon Sep 17 00:00:00 2001 From: Harshita Sao <84518563+harshitasao@users.noreply.github.com> Date: Mon, 19 Aug 2024 21:40:47 +0530 Subject: [PATCH] fix: fixed the token-permission and pinned dependencies issue (#7649) --- .github/workflows/codeql-analysis.yml | 13 +++++++----- .github/workflows/container-version.yaml | 10 +++++++-- .github/workflows/docs.yaml | 11 ++++++---- .github/workflows/go.yaml | 27 +++++++++++++----------- .github/workflows/mixin.yaml | 11 ++++++---- .github/workflows/react.yml | 9 +++++--- 6 files changed, 51 insertions(+), 30 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2e6eda97da..7115aedb7c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,6 +20,9 @@ on: schedule: - cron: '30 12 * * 1' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -35,16 +38,16 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: 1.22.x # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml @@ -56,7 +59,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -70,4 +73,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 diff --git a/.github/workflows/container-version.yaml b/.github/workflows/container-version.yaml index f9a3ba8cf9..4f84529b4c 100644 --- a/.github/workflows/container-version.yaml +++ b/.github/workflows/container-version.yaml @@ -3,12 +3,18 @@ on: schedule: - cron: '0 * * * *' name: busybox-update workflow +permissions: + contents: read + jobs: checkVersionAndCreatePR: + permissions: + contents: write # for peter-evans/create-pull-request to create branch + pull-requests: write # for peter-evans/create-pull-request to create a PR runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Run busybox updater run: | @@ -17,7 +23,7 @@ jobs: shell: bash - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: signoff: true token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 9effad81c2..befaa171f2 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -7,6 +7,9 @@ on: tags: pull_request: +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest @@ -15,21 +18,21 @@ jobs: GOBIN: /tmp/.bin steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: 1.22.x - - uses: actions/cache@v4 + - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - - uses: actions/cache@v4 + - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: .mdoxcache key: ${{ runner.os }}-mdox-${{ hashFiles('docs/**/*.md', 'examples/**/*.md', 'mixin/**/*.md', '*.md') }} diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml index a2c5fc7eda..d89c3c47c4 100644 --- a/.github/workflows/go.yaml +++ b/.github/workflows/go.yaml @@ -8,6 +8,9 @@ on: pull_request: # TODO(bwplotka): Add tests here. +permissions: + contents: read + jobs: cross-build-check: runs-on: ubuntu-latest @@ -16,14 +19,14 @@ jobs: GOBIN: /tmp/.bin steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: 1.22.x - - uses: actions/cache@v4 + - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cache/go-build @@ -43,14 +46,14 @@ jobs: GOBIN: /tmp/.bin steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: 1.22.x - - uses: actions/cache@v4 + - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cache/go-build @@ -70,14 +73,14 @@ jobs: GOBIN: /tmp/.bin steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: 1.22.x - - uses: actions/cache@v4 + - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cache/go-build @@ -119,14 +122,14 @@ jobs: GOBIN: /tmp/.bin steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install Go. - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: 1.22.x - - uses: actions/cache@v4 + - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/.cache/go-build diff --git a/.github/workflows/mixin.yaml b/.github/workflows/mixin.yaml index c56cbd9e18..08e0f3e8e1 100644 --- a/.github/workflows/mixin.yaml +++ b/.github/workflows/mixin.yaml @@ -6,15 +6,18 @@ on: pull_request: branches: [main] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: 1.22.x @@ -29,10 +32,10 @@ jobs: name: Linters (Static Analysis) for Jsonnet (mixin) steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: 1.22.x diff --git a/.github/workflows/react.yml b/.github/workflows/react.yml index df3dcebcae..c4c49d7255 100644 --- a/.github/workflows/react.yml +++ b/.github/workflows/react.yml @@ -6,6 +6,9 @@ on: - main pull_request: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -15,14 +18,14 @@ jobs: name: React UI test on Node ${{ matrix.node }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install nodejs - uses: actions/setup-node@v4 + uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 with: node-version: ${{ matrix.node }} - - uses: actions/cache@v4 + - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}