From fd63a1a99cbb72aa175e248337228b7aeb941a2c Mon Sep 17 00:00:00 2001 From: jharper5 Date: Fri, 5 Jan 2024 14:43:24 -0800 Subject: [PATCH 1/2] add permissions restriction to github workflows --- .github/workflows/build-test.yml | 3 +++ .github/workflows/codeql.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index 01f69bd..da1407e 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -2,6 +2,9 @@ name: Build & Test on: [pull_request, push] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b85129f..ba0ba07 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,6 +9,9 @@ on: schedule: - cron: '36 18 * * 3' +permissions: + contents: read + jobs: analyze: name: Analyze From cb06a360a5787e02d6020c88811c9c8abb55b53c Mon Sep 17 00:00:00 2001 From: jharper5 Date: Fri, 5 Jan 2024 15:19:44 -0800 Subject: [PATCH 2/2] pin github actions --- .github/workflows/build-test.yml | 12 ++++++------ .github/workflows/codeql.yml | 6 +++--- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index da1407e..990cbb0 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -9,7 +9,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Build builder image run: | builder/build_docker_image @@ -17,12 +17,12 @@ jobs: run: | builder/build - name: Upload build - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: svr-info path: dist/svr-info*.tgz - name: Upload oss package - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: oss_source path: dist/oss_source.tgz @@ -31,9 +31,9 @@ jobs: needs: [build] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: download svr-info - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: svr-info - name: install jq @@ -62,7 +62,7 @@ jobs: # TODO: add more tests here - name: upload report if: ${{ always() }} - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: ${{ matrix.runner }} report path: svr-info/output/ diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ba0ba07..9e0a0ef 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,10 +27,10 @@ jobs: language: [ 'cpp', 'go' ] steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12 with: languages: ${{ matrix.language }} - name: Build golang @@ -44,6 +44,6 @@ jobs: cd src/calcfreq/ make - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12 with: category: "/language:${{matrix.language}}"