From dfbde80cc728444754708abdfde3683db187427a Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Sun, 5 Mar 2023 09:03:04 +1300 Subject: [PATCH] ci: harden permissions and update `golangci-lint` version in release workflow (#177) * ci: harden permissions * ci: update `golangci-lint` version in release workflow --- .github/workflows/checks.yml | 15 +++++++++++++++ .github/workflows/release.yml | 23 ++++++++++++++++++----- 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 951c2ddd..af0e5ff5 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -9,12 +9,17 @@ on: env: GO_VERSION: '1.17.9' +permissions: + contents: read # to fetch code (actions/checkout) + jobs: test-ubuntu: name: Test on Ubuntu runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} @@ -26,6 +31,8 @@ jobs: runs-on: macos-latest steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} @@ -37,6 +44,8 @@ jobs: runs-on: windows-latest steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} @@ -48,6 +57,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-go@v3 with: @@ -62,6 +73,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v3 + with: + persist-credentials: false - run: make lint-with-go-fmt prettier: @@ -69,6 +82,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-node@v3 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fc42f11f..5bcfe216 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,12 +8,17 @@ on: env: GO_VERSION: '1.17.9' +permissions: + contents: read # to fetch code (actions/checkout) + jobs: test-ubuntu: name: Test on Ubuntu runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} @@ -25,6 +30,8 @@ jobs: runs-on: macos-latest steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} @@ -36,6 +43,8 @@ jobs: runs-on: windows-latest steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-go@v3 with: go-version: ${{ env.GO_VERSION }} @@ -45,8 +54,9 @@ jobs: golangci-lint: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v3 + - uses: actions/checkout@v3 + with: + persist-credentials: false - uses: actions/setup-go@v3 with: @@ -55,12 +65,13 @@ jobs: - name: Run golangci-lint uses: golangci/golangci-lint-action@v3 with: - version: v1.44 + version: v1.47 go-fmt: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v3 + - uses: actions/checkout@v3 + with: + persist-credentials: false - run: make lint-with-go-fmt goreleaser: @@ -71,6 +82,8 @@ jobs: - test-windows - golangci-lint - go-fmt + permissions: + contents: write # to create a GitHub release (goreleaser/goreleaser-action) steps: - uses: actions/checkout@v3 - run: git fetch --prune --unshallow