From 3a219c8d3a2b1fc50171709fbcc657464ab1bc5c Mon Sep 17 00:00:00 2001 From: Michael McLoughlin Date: Tue, 27 Apr 2021 21:42:09 -0700 Subject: [PATCH] ci: github actions hardening (#190) Restrict permissions of github token. Pin action versions. Following advice in briansmith/untrusted#50. --- .github/workflows/ci.yml | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 998fd76b..f39e71ca 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,3 +1,8 @@ +name: ci + +permissions: + contents: read + on: push: branches: @@ -6,7 +11,6 @@ on: schedule: - cron: '17 12 * * 6' -name: ci jobs: test: strategy: @@ -16,7 +20,7 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Install Go - uses: actions/setup-go@v1 + uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3 with: go-version: ${{ matrix.go-version }} - name: Configure Go Environment @@ -26,7 +30,9 @@ jobs: - name: Go Environment run: go env - name: Checkout code - uses: actions/checkout@v1 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4 + with: + persist-credentials: false - name: Bootstrap run: ./script/bootstrap @@ -38,13 +44,13 @@ jobs: run: ./script/coverage - name: Upload Unit Test Coverage - uses: codecov/codecov-action@v1.0.5 + uses: codecov/codecov-action@967e2b38a85a62bd61be5529ada27ebc109948c2 #v1.4.1 with: token: ${{ secrets.CODECOV_TOKEN }} file: unittests.coverprofile flags: unittests - name: Upload Integration Test Coverage - uses: codecov/codecov-action@v1.0.5 + uses: codecov/codecov-action@967e2b38a85a62bd61be5529ada27ebc109948c2 #v1.4.1 with: token: ${{ secrets.CODECOV_TOKEN }} file: integration.coverprofile @@ -58,7 +64,7 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Install Go - uses: actions/setup-go@v1 + uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3 with: go-version: ${{ matrix.go-version }} - name: Configure Go Environment @@ -68,7 +74,9 @@ jobs: - name: Go Environment run: go env - name: Checkout code - uses: actions/checkout@v1 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4 + with: + persist-credentials: false - name: Bootstrap run: ./script/bootstrap - name: Lint @@ -82,11 +90,13 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Install Go - uses: actions/setup-go@v1 + uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3 with: go-version: ${{ matrix.go-version }} - name: Checkout code - uses: actions/checkout@v1 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4 + with: + persist-credentials: false - name: Run Third-Party Tests working-directory: ./tests/thirdparty run: go test -pkgs packages.json