diff --git a/.github/workflows/ci-windows-trigger.yml b/.github/workflows/ci-windows-trigger.yml index b4d7774870..696549c4f0 100644 --- a/.github/workflows/ci-windows-trigger.yml +++ b/.github/workflows/ci-windows-trigger.yml @@ -4,13 +4,18 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: windows-test-command-trigger: + permissions: + pull-requests: write # for peter-evans/slash-command-dispatch to create PR reaction runs-on: ubuntu-22.04 steps: - name: Trigger windows-test command - uses: peter-evans/slash-command-dispatch@v3 + uses: peter-evans/slash-command-dispatch@f996d7b7aae9059759ac55e978cff76d91853301 # v3.0.2 with: token: ${{ secrets.WINDOWS_WORKERS_TOKEN }} # The command to trigger the pipeline: e.g. /windows-test diff --git a/.github/workflows/ci-windows.yml b/.github/workflows/ci-windows.yml index f0931d57b0..8bee2b1ab7 100644 --- a/.github/workflows/ci-windows.yml +++ b/.github/workflows/ci-windows.yml @@ -13,7 +13,7 @@ jobs: timeout-minutes: 30 steps: - name: Create pending status - uses: actions/github-script@v7.0.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -27,7 +27,7 @@ jobs: }) - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.client_payload.pull_request.head.repo.full_name }} @@ -55,7 +55,7 @@ jobs: gotestsum --format short-verbose --rerun-fails=5 --packages="./..." --junitfile TEST-unit.xml -- -timeout=30m - name: Create success status - uses: actions/github-script@v7.0.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 if: success() with: github-token: ${{secrets.GITHUB_TOKEN}} @@ -70,7 +70,7 @@ jobs: }) - name: Create failure status - uses: actions/github-script@v7.0.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 if: failure() with: github-token: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 10d3fd4e84..4193748c61 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -138,22 +138,25 @@ jobs: ryuk-disabled: false sonarcloud: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for sonarsource/sonarcloud-github-action to determine which PR to decorate if: ${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' }} needs: test-examples runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # Disabling shallow clone is recommended for improving relevancy of reporting fetch-depth: 0 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: sonarcloud - name: Analyze with SonarCloud - uses: sonarsource/sonarcloud-github-action@master + uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0efa608b4e..0d75b54976 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,6 +20,9 @@ on: schedule: - cron: '40 6 * * 5' +permissions: + contents: read + jobs: analyze: name: Analyze diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 95016dfde0..29c2b72ee0 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -6,8 +6,14 @@ on: branches: - main +permissions: + contents: read + jobs: update_release_draft: + permissions: + contents: write # for release-drafter/release-drafter to create a github release + pull-requests: write # for release-drafter/release-drafter to add label to PR runs-on: ubuntu-latest steps: - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5.19.0 diff --git a/modulegen/_template/ci.yml.tmpl b/modulegen/_template/ci.yml.tmpl index dacf6bb49a..2d605d0d1b 100644 --- a/modulegen/_template/ci.yml.tmpl +++ b/modulegen/_template/ci.yml.tmpl @@ -138,22 +138,25 @@ jobs: ryuk-disabled: false sonarcloud: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for sonarsource/sonarcloud-github-action to determine which PR to decorate if: {{ "${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' }}" }} needs: test-examples runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # Disabling shallow clone is recommended for improving relevancy of reporting fetch-depth: 0 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: sonarcloud - name: Analyze with SonarCloud - uses: sonarsource/sonarcloud-github-action@master + uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1 env: GITHUB_TOKEN: {{ "${{ secrets.GITHUB_TOKEN }}" }} SONAR_TOKEN: {{ "${{ secrets.SONAR_TOKEN }}" }}