From 40b2afb4e310b05496933718dc8d9ae46b312779 Mon Sep 17 00:00:00 2001 From: m1rm Date: Wed, 20 May 2026 11:37:18 +0200 Subject: [PATCH] security: harden github actions security: harden github actions --- .github/actions/setup/action.yml | 4 ++-- .github/workflows/test.yml | 13 +++++++++---- .github/workflows/update-go.yml | 5 +++-- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index b5320b8..39b99e7 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -10,11 +10,11 @@ runs: using: "composite" steps: - name: Install Just - uses: extractions/setup-just@v3 + uses: extractions/setup-just@53165ef7e734c5c07cb06b3c8e7b647c5aa16db3 #v4 env: GITHUB_TOKEN: ${{ github.token }} - name: Setup Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c #v6.4.0 with: go-version: ${{ inputs.go-version }} go-version-file: ${{ inputs.go-version && '' || 'go.mod' }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 35814de..478e3ec 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,9 +10,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Run Common Setup uses: ./.github/actions/setup - name: golangci-lint @@ -25,9 +26,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Run Common Setup uses: ./.github/actions/setup - run: just test @@ -36,9 +38,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Run Common Setup uses: ./.github/actions/setup - run: just test-integration @@ -52,7 +55,9 @@ jobs: test: ['test', 'build', 'test-cpu-detection', 'test-os-detection'] steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + with: + persist-credentials: false - name: Run Common Setup uses: ./.github/actions/setup - name: Install Qemu diff --git a/.github/workflows/update-go.yml b/.github/workflows/update-go.yml index f57fa63..ecdbe62 100644 --- a/.github/workflows/update-go.yml +++ b/.github/workflows/update-go.yml @@ -10,10 +10,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: token: ${{ secrets.MAINTENANCE_TOKEN }} fetch-depth: 0 + persist-credentials: false - name: Run Common Setup uses: ./.github/actions/setup with: @@ -29,7 +30,7 @@ jobs: - name: Run all tests run: just test-all - name: Commit updates - uses: stefanzweifel/git-auto-commit-action@v7 + uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 #v7.1.0 with: commit_message: Update Go dependencies commit_user_name: Maintenance Bob