From d8aaf8919eeb0e4786e1fc6934cedf8c31322fd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=8D=C3=B1igo=20Marqu=C3=ADnez=20Prado?= <25435858+inigomarquinez@users.noreply.github.com> Date: Tue, 30 Apr 2024 17:32:46 +0200 Subject: [PATCH] ci: pin dependencies and specify permissions in the pipeline (#25) PR-URL: https://github.com/jshttp/statuses/pull/25 --- .github/workflows/ci.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fd31803..a4bce56 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,9 +4,15 @@ on: - pull_request - push +permissions: + contents: read + jobs: test: runs-on: ubuntu-20.04 + permissions: + contents: read # for actions/checkout to fetch code + checks: write # for coverallsapp/github-action to create new checks strategy: matrix: name: @@ -124,7 +130,7 @@ jobs: node-version: "21.7" steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 - name: Install Node.js ${{ matrix.node-version }} shell: bash -eo pipefail -l {0} @@ -195,7 +201,7 @@ jobs: run: npm run lint - name: Collect code coverage - uses: coverallsapp/github-action@master + uses: coverallsapp/github-action@3dfc5567390f6fa9267c0ee9c251e4c8c3f18949 #v2.2.3 if: steps.list_env.outputs.nyc != '' with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -205,9 +211,12 @@ jobs: coverage: needs: test runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + checks: write # for coverallsapp/github-action to create new checks steps: - name: Upload code coverage - uses: coverallsapp/github-action@master + uses: coverallsapp/github-action@3dfc5567390f6fa9267c0ee9c251e4c8c3f18949 #v2.2.3 with: github-token: ${{ secrets.github_token }} parallel-finished: true