percona · artemgavrilov · Nov 14, 2024 · Nov 14, 2024
@@ -2,6 +2,9 @@ name: Checks
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   format:
     name: Format
@@ -15,13 +18,13 @@ jobs:
           sudo apt-get install -y libcurl4-openssl-dev
 
       - name: Clone postgres repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: 'postgres/postgres'
           ref: 'REL_17_STABLE'
 
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: 'contrib/pg_tde'
 

@@ -7,17 +7,20 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build-and-push:
     name: Build and Push
     runs-on: ubuntu-latest
 
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
 
       - name: Build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           file: docker/Dockerfile
           load: true # Put image in local docker
@@ -34,14 +37,14 @@ jobs:
 
       - name: Login to Docker Hub
         if: ${{ github.ref == 'refs/heads/main' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Push
         if: ${{ github.ref == 'refs/heads/main' }}
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           file: docker/Dockerfile
           push: true

@@ -6,6 +6,9 @@ on:
     paths:
       - "documentation/**"
 
+permissions:
+  contents: read
+
 jobs:
   release:
     name: Release
@@ -16,10 +19,10 @@ jobs:
 
     steps:
       - name: Chekout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: "3.x"
 

@@ -5,8 +5,13 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: write  # for ncipollo/release-action to create a release
     name: pg-16-ppg-package-pgxs-build
     runs-on: ubuntu-22.04
     steps:
@@ -55,7 +60,7 @@ jobs:
             percona-postgis percona-pg-stat-monitor16
 
       - name: Clone pg_tde repository
-        uses: actions/checkout@master
+        uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master
         with:
           path: 'src/pg_tde'
 
@@ -90,7 +95,7 @@ jobs:
         working-directory: src/pg_tde
 
       - name: Report on test fail
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ failure() }}
         with:
           name: Regressions diff and postgresql log
@@ -113,7 +118,7 @@ jobs:
           sudo cp /usr/lib/postgresql/16/lib/pg_tde* pgtde-ppg16/usr/lib/postgresql/16/lib/
 
       - name: Upload tgz
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: pg_tde_ppg16_binary
           path: pgtde-ppg16
@@ -135,7 +140,7 @@ jobs:
           sudo dpkg -i --debug=7777 pgtde-ppg16.deb
 
       - name: Upload deb
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: pg_tde_deb
           path: pgtde-ppg16.deb
@@ -145,7 +150,7 @@ jobs:
           cd pgtde-ppg16 && sudo tar -czvf ../pgtde-ppg16.tar.gz .
 
       - name: Publish release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         # Only try and deploy on merged code
         if: "github.repository == 'percona/pg_tde' && github.ref_name == 'main' && (github.event_name == 'push' || github.event_name == 'schedule')"
         with:

@@ -1,6 +1,9 @@
 name: postgresql-16-src-make-macos
 on: [pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: pg-16-src-make-test
@@ -15,14 +18,14 @@ jobs:
           sudo /usr/bin/perl -MCPAN -e 'install Text::Trim'
 
       - name: Clone postgres repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: 'postgres/postgres'
           ref: 'a81e5516fa4bc53e332cb35eefe231147c0e1749'
           path: 'src'
 
       - name: Clone pg_tde repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: 'src/contrib/pg_tde'
 
@@ -65,7 +68,7 @@ jobs:
         working-directory: src/contrib/pg_tde
 
       - name: Report on test fail
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ failure() }}
         with:
           name: Regressions diff and postgresql log

@@ -1,6 +1,9 @@
 name: postgresql-16-src-make-ssl11
 on: [pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: pg-16-src-make-test-ssl11
@@ -34,14 +37,14 @@ jobs:
           sudo apt update && sudo apt install -y vault
 
       - name: Clone postgres repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: 'postgres/postgres'
           ref: 'a81e5516fa4bc53e332cb35eefe231147c0e1749'
           path: 'src'
 
       - name: Clone pg_tde repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: 'src/contrib/pg_tde'
 
@@ -82,7 +85,7 @@ jobs:
         working-directory: src/contrib/pg_tde
 
       - name: Report on test fail
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ failure() }}
         with:
           name: Regressions diff and postgresql log

@@ -1,6 +1,9 @@
 name: postgresql-16-src-make
 on: [pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: pg-16-src-make-test
@@ -34,14 +37,14 @@ jobs:
           sudo apt update && sudo apt install -y vault
 
       - name: Clone postgres repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: 'postgres/postgres'
           ref: 'a81e5516fa4bc53e332cb35eefe231147c0e1749'
           path: 'src'
 
       - name: Clone pg_tde repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: 'src/contrib/pg_tde'
 
@@ -82,7 +85,7 @@ jobs:
         working-directory: src/contrib/pg_tde
 
       - name: Report on test fail
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ failure() }}
         with:
           name: Regressions diff and postgresql log

@@ -1,6 +1,9 @@
 name: postgresql-16-src-meson-macos
 on: [pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: pg-16-src-meson-test
@@ -15,14 +18,14 @@ jobs:
           sudo /usr/bin/perl -MCPAN -e 'install Text::Trim'
 
       - name: Clone postgres repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: 'postgres/postgres'
           ref: 'a81e5516fa4bc53e332cb35eefe231147c0e1749'
           path: 'src'
 
       - name: Clone pg_tde repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: 'src/contrib/pg_tde'
 
@@ -49,7 +52,7 @@ jobs:
         working-directory: src/build
 
       - name: Report on test fail
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ failure() }}
         with:
           name: Regressions diff and postgresql log

@@ -1,6 +1,9 @@
 name: postgresql-16-src-meson
 on: [pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: pg-16-src-meson-test
@@ -35,14 +38,14 @@ jobs:
           sudo apt update && sudo apt install -y vault
 
       - name: Clone postgres repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: 'postgres/postgres'
           ref: 'a81e5516fa4bc53e332cb35eefe231147c0e1749'
           path: 'src'
 
       - name: Clone pg_tde repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: 'src/contrib/pg_tde'
 
@@ -69,7 +72,7 @@ jobs:
         working-directory: src/build
 
       - name: Report on test fail
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ failure() }}
         with:
           name: Regressions diff and postgresql log

@@ -1,6 +1,9 @@
 name: postgresql-17-src-make
 on: [pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: pg-17-src-make-test
@@ -34,14 +37,14 @@ jobs:
           sudo apt update && sudo apt install -y vault
 
       - name: Clone postgres repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: 'postgres/postgres'
           ref: 'REL_17_STABLE'
           path: 'src'
 
       - name: Clone pg_tde repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: 'src/contrib/pg_tde'
 
@@ -82,7 +85,7 @@ jobs:
         working-directory: src/contrib/pg_tde
 
       - name: Report on test fail
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ failure() }}
         with:
           name: Regressions diff and postgresql log

@@ -38,14 +38,14 @@ jobs:
           sudo apt update && sudo apt install -y vault
 
       - name: Clone postgres repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: 'percona-lab/postgres'
           ref: 'TDE_REL_17_STABLE'
           path: 'src'
 
       - name: Clone pg_tde repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: 'src/contrib/pg_tde'
 
@@ -68,7 +68,7 @@ jobs:
         working-directory: src/build
 
       - name: Report on test fail
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ failure() }}
         with:
           name: Regressions diff and postgresql log
@@ -128,7 +128,7 @@ jobs:
           echo "EOF" >> $GITHUB_ENV
         working-directory: inst
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: pr_perf_results
           path: inst/pr_perf_results