diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml index 5201ab07..861b7e26 100644 --- a/.github/workflows/acceptance-tests.yml +++ b/.github/workflows/acceptance-tests.yml @@ -3,12 +3,17 @@ name: Acceptance Tests on: [pull_request] +permissions: {} + jobs: acceptance-tests: + permissions: {} runs-on: ubuntu-24.04 steps: - name: Check out - uses: actions/checkout@v4 - - uses: jdx/mise-action@v2 + with: + persist-credentials: false + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1 - name: Run acceptance tests run: ./scripts/run-acceptance-tests.sh ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/ghcr-image-build-and-publish.yml b/.github/workflows/ghcr-image-build-and-publish.yml index 088be784..abaa4729 100644 --- a/.github/workflows/ghcr-image-build-and-publish.yml +++ b/.github/workflows/ghcr-image-build-and-publish.yml @@ -28,13 +28,15 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' - uses: docker/login-action@v3.4.0 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -44,14 +46,14 @@ jobs: # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v5.7.0 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image - uses: docker/build-push-action@v6.16.0 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0 with: context: docker/ push: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/lint-rest.yml b/.github/workflows/lint-rest.yml new file mode 100644 index 00000000..33f9f097 --- /dev/null +++ b/.github/workflows/lint-rest.yml @@ -0,0 +1,19 @@ +--- +name: Acceptance Tests + +on: [pull_request] + +permissions: {} + +jobs: + acceptance-tests: + permissions: {} + runs-on: ubuntu-24.04 + steps: + - name: Check out + with: + persist-credentials: false + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1 + - name: Lint + run: mise run lint-rest diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml deleted file mode 100644 index 017f5ccc..00000000 --- a/.github/workflows/markdown-link-check.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -name: markdown-link-check - -on: - pull_request: - paths: - - "**.md" - -jobs: - markdown-link-check: - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - uses: lycheeverse/lychee-action@v2 - with: - # remove version after next release of lychee-action - lycheeVersion: latest - args: --include-fragments . diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f71836c5..51a088cc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,10 +16,12 @@ jobs: steps: - id: checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - id: push-to-dockerhub - uses: grafana/shared-workflows/actions/build-push-to-dockerhub@main + uses: grafana/shared-workflows/actions/build-push-to-dockerhub@402975d84dd3fac9ba690f994f412d0ee2f51cf4 # v0.1.1 with: repository: grafana/otel-lgtm context: docker diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index b7efa6af..ea10b837 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -14,6 +14,8 @@ jobs: timeout-minutes: 10 steps: - name: Checkout Code + with: + persist-credentials: false uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: retrieve secrets diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml index 8f6fb24f..102695d4 100644 --- a/.github/workflows/super-linter.yml +++ b/.github/workflows/super-linter.yml @@ -16,15 +16,16 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false fetch-depth: 0 - name: Load super-linter configuration run: grep -v '^#' .github/super-linter.env | grep -v 'FIX_' >> "$GITHUB_ENV" - name: Super-linter - uses: super-linter/super-linter@v7.3.0 + uses: super-linter/super-linter@4e8a7c2bf106c4c766c816b35ec612638dc9b6b2 # v7.3.0 env: # To report GitHub Actions status checks GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/mise.lock b/mise.lock index 2ff1ca32..1ed10f29 100644 --- a/mise.lock +++ b/mise.lock @@ -1,3 +1,7 @@ +[tools."cargo:zizmor"] +version = "1.6.0" +backend = "cargo:zizmor" + [tools.go] # renovate: datasource=github-releases depName=go packageName=golang/go version = "1.24.2" diff --git a/mise.toml b/mise.toml index a3e52aea..411e778a 100644 --- a/mise.toml +++ b/mise.toml @@ -1,4 +1,5 @@ [tools] +"cargo:zizmor" = "latest" go = "latest" "go:github.com/grafana/oats" = "latest" java = "temurin-21.0.7+6.0.LTS" @@ -14,9 +15,16 @@ run = "markdownlint-cli2 --fix ." [tasks.lint-links] run = "lychee --cache --include-fragments ." +[tasks.lint-gh-actions] +run = "zizmor .github/" + [tasks.lint-all] depends = ["lint", "lint-links"] +[tasks.lint-rest] +description = "All lints not covered by super linter" +depends = ["lint-links", "lint-gh-actions"] + [tasks.test] description = "Run integration tests" run = './scripts/run-acceptance-tests.sh {{arg(name="tag", default="latest")}}'