Merge pull request #2715 from vincepri/improve-dep-version

🌱 Improve github actions dependencies versions and permissions
kubernetes-sigs · Mar 20, 2024 · 395cfc7 · 395cfc7
2 parents 2831a3d + c62ab1a
commit 395cfc7
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -4,6 +4,15 @@ on:
     types: [opened, edited, synchronize, reopened]
     branches:
       - main
+
+permissions:
+  # Required: allow read access to the content for analysis.
+  contents: read
+  # Optional: allow read access to pull request. Use with `only-new-issues` option.
+  pull-requests: read
+  # Optional: Allow write access to checks to allow the action to annotate code in the PR.
+  checks: write
+
 jobs:
   golangci:
     name: lint
@@ -14,13 +23,15 @@ jobs:
           - ""
           - tools/setup-envtest
     steps:
-      - uses: actions/setup-go@v5
+      - name: Set up Go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # tag=v5.0.0
         with:
           go-version: '1.21'
           cache: false
       - uses: actions/checkout@v4
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # tag=v4.0.0
         with:
           version: v1.56.2
+          args: --out-format=colored-line-number
           working-directory: ${{matrix.working-directory}}
diff --git a/.github/workflows/pr-dependabot.yaml b/.github/workflows/pr-dependabot.yaml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v4 # tag=v3.5.3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
     - name: Set up Go
       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # tag=v5.0.0
       with:

diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -2,13 +2,16 @@ on:
   pull_request_target:
     types: [opened, edited, reopened, synchronize]
 
+permissions:
+  checks: write # Allow access to checks to write check runs.
+
 jobs:
   verify:
     runs-on: ubuntu-latest
     name: verify PR contents
     steps:
     - name: Verifier action
       id: verifier
-      uses: kubernetes-sigs/kubebuilder-release-tools@v0.4.3
+      uses: kubernetes-sigs/kubebuilder-release-tools@012269a88fa4c034a0acf1ba84c26b195c0dbab4 # tag=v0.4.3
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}