diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index 01f69bd..990cbb0 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -2,11 +2,14 @@ name: Build & Test on: [pull_request, push] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Build builder image run: | builder/build_docker_image @@ -14,12 +17,12 @@ jobs: run: | builder/build - name: Upload build - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: svr-info path: dist/svr-info*.tgz - name: Upload oss package - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: oss_source path: dist/oss_source.tgz @@ -28,9 +31,9 @@ jobs: needs: [build] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: download svr-info - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: svr-info - name: install jq @@ -59,7 +62,7 @@ jobs: # TODO: add more tests here - name: upload report if: ${{ always() }} - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: ${{ matrix.runner }} report path: svr-info/output/ diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b85129f..9e0a0ef 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,6 +9,9 @@ on: schedule: - cron: '36 18 * * 3' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -24,10 +27,10 @@ jobs: language: [ 'cpp', 'go' ] steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12 with: languages: ${{ matrix.language }} - name: Build golang @@ -41,6 +44,6 @@ jobs: cd src/calcfreq/ make - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12 with: category: "/language:${{matrix.language}}"