chore(ci): Harden CI

VorpalBlade · Nov 3, 2024 · 85a6e1c · 85a6e1c
1 parent 501e1cd
commit 85a6e1c
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 5 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -64,6 +64,8 @@ jobs:
             debug_info: off
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Environment info
         run: |
           echo "rustup --version:"; rustup --version
@@ -117,6 +119,8 @@ jobs:
           - stable
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install Rust
         run: rustup install --profile minimal  ${{ matrix.rust }} && rustup default ${{ matrix.rust }}
       - name: Install libdbus
@@ -188,6 +192,8 @@ jobs:
             rust: nightly
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Environment info
         run: |
           echo "rustup --version:"; rustup --version

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -24,6 +24,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup Rust
         run: rustup update stable && rustup default stable && rustup component add clippy
@@ -60,6 +62,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Install Rust
       run: rustup install --profile minimal stable && rustup default stable && rustup component add rustfmt
     - run: cargo fmt -- --check
@@ -68,6 +72,8 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Setup Rust
       run: rustup update stable && rustup default stable && rustup component add clippy
@@ -85,6 +91,8 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Setup Rust
       run: rustup update stable && rustup default stable && rustup component add clippy

diff --git a/.github/workflows/mdbook-release.yml b/.github/workflows/mdbook-release.yml
@@ -20,6 +20,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
       - name: Install latest mdbook
         run: |

diff --git a/.github/workflows/mdbook.yml b/.github/workflows/mdbook.yml
@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
+      with:
+        persist-credentials: false
     - name: Install Rust
       run: |
         rustup set profile minimal

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,10 +1,5 @@
 name: Release
 
-permissions:
-  attestations: write
-  contents: write
-  id-token: write
-
 on:
   push:
     tags:
@@ -28,8 +23,13 @@ env:
 jobs:
   create-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: taiki-e/[email protected]
         with:
           draft: true
@@ -39,8 +39,13 @@ jobs:
   cargo-about:
     needs: create-release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Setup Rust
       run: rustup update stable && rustup default stable && rustup component add clippy
     - name: Get cargo-binstall
@@ -57,6 +62,10 @@ jobs:
 
   upload-assets:
     needs: create-release
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write # Needed for attestations
     strategy:
       matrix:
         include:
@@ -96,6 +105,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: taiki-e/[email protected]
         id: upload-rust-binary-action
         with:
@@ -119,6 +130,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - run: cargo publish --token ${CRATES_TOKEN}
         env:
           CRATES_TOKEN: ${{ secrets.CRATES_TOKEN }}
@@ -129,6 +142,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Get AUR repo
         run: git clone https://aur.archlinux.org/chezmoi_modify_manager.git aur
       - name: Update PKGBUILD