Skip to content

Commit

Permalink
[StepSecurity] ci: Harden GitHub Actions (#960)
Browse files Browse the repository at this point in the history 
Signed-off-by: StepSecurity Bot <[email protected]>
Co-authored-by: Nurlan Moldomurov <[email protected]>
  • Loading branch information
@step-security-bot @BupycHuk
step-security-bot and BupycHuk authored Nov 14, 2024
1 parent dc46ed5 commit 09af8cd
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 13 deletions.
9 changes: 6 additions & 3 deletions .github/workflows/go.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ on:
- v[0-9]+.[0-9]+.[0-9]+*
pull_request:

permissions:
contents: read

jobs:
build:
name: Build
Expand All @@ -36,10 +39,10 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Set up Go
uses: actions/setup-go@v5
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: ${{ github.workspace }}/go.mod

Expand All @@ -52,7 +55,7 @@ jobs:
- name: Upload coverage results
uses: codecov/codecov-action@v3
uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6
with:
file: cover.out
flags: agent
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/lint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,10 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Set up Go
uses: actions/setup-go@v5
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: ${{ github.workspace }}/go.mod

Expand Down
19 changes: 12 additions & 7 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,42 +8,47 @@ on:
# manually trigger the release
workflow_dispatch:

permissions:
contents: read

jobs:
goreleaser:
permissions:
contents: write # for goreleaser/goreleaser-action to create a GitHub release
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: Set up Go
uses: actions/setup-go@v5
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: ${{ github.workspace }}/go.mod

- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
with:
version: "~> v2"
args: release --clean
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecard.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,6 @@ jobs:

# Upload the results to GitHub's code scanning dashboard (optional).
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3
with:
sarif_file: results.sarif

0 comments on commit 09af8cd

Please sign in to comment.