ivuorinen/gh-action-readme
1
0
Fork 0
mirror of https://github.com/ivuorinen/gh-action-readme.git synced 2026-03-11 14:59:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: enforce least-privilege permissions and update workflows (#188)

Browse Source 
* ci: add permissions: {} to CI workflow with job-level contents: read

* ci: enforce least-privilege permissions in security workflow

* ci: enforce least-privilege permissions in commitlint workflow

* ci: enforce least-privilege permissions in pr-lint workflow and update actions

* ci: enforce least-privilege permissions in stale workflow and update actions

* ci: enforce least-privilege permissions in sync-labels workflow and update actions

* ci: enforce least-privilege permissions in release workflow and update actions

* chore(actions): update ivuorinen/actions/codeql-analysis (v2026.03.06 → v2026.03.09)

* chore(deps): update testdata composite action dependencies
This commit is contained in:
Ismo Vuorinen
2026-03-10 19:08:53 +02:00
committed by GitHub
parent 042b7a27a4
commit d266beab79
9 changed files with 25 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/ci.yml vendored
View File

@@ -5,9 +5,14 @@ on:
branches: [main] branches: [main]
pull_request: pull_request:
branches: [main] branches: [main]
permissions: {}
jobs: jobs:
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
steps: steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:

2
.github/workflows/codeql.yml vendored
View File

@@ -28,7 +28,7 @@ jobs:
language: ["actions", "go"] language: ["actions", "go"]
steps: steps:
- name: CodeQL Analysis - name: CodeQL Analysis
uses: ivuorinen/actions/codeql-analysis@97105fc2a909360678588cb50caf0be5144be486 # v2026.03.06 uses: ivuorinen/actions/codeql-analysis@4360ea39c744dbd52bf1d624bf058ba4dd81245a # v2026.03.09
with: with:
language: ${{ matrix.language }} language: ${{ matrix.language }}
queries: security-and-quality queries: security-and-quality

5
.github/workflows/commitlint.yml vendored
View File

@@ -9,13 +9,14 @@ on:
branches: branches:
- main - main
permissions: permissions: {}
contents: read
jobs: jobs:
commitlint: commitlint:
name: Validate Commit Messages name: Validate Commit Messages
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

5
.github/workflows/pr-lint.yml vendored
View File

@@ -12,8 +12,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: permissions: {}
contents: read
jobs: jobs:
Linter: Linter:
@@ -31,4 +30,4 @@ jobs:
steps: steps:
- name: Run PR Lint - name: Run PR Lint
# https://github.com/ivuorinen/actions # https://github.com/ivuorinen/actions
uses: ivuorinen/actions/pr-lint@6e8f2aae9d0846d901d9eba15b8e94a2900573dc # v2026.03.02 uses: ivuorinen/actions/pr-lint@4360ea39c744dbd52bf1d624bf058ba4dd81245a # v2026.03.09

11
.github/workflows/release.yml vendored
View File

@@ -6,8 +6,7 @@ on:
tags: tags:
- "v*.*.*" - "v*.*.*"
permissions: permissions: {}
contents: read
jobs: jobs:
release: release:
@@ -33,18 +32,18 @@ jobs:
node-version: "24" node-version: "24"
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
with: with:
cosign-release: "v2.4.0" cosign-release: "v2.4.0"
- name: Install syft - name: Install syft
uses: anchore/sbom-action/download-syft@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0 uses: anchore/sbom-action/download-syft@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to GitHub Container Registry - name: Log in to GitHub Container Registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}

4
.github/workflows/security.yml vendored
View File

@@ -12,6 +12,8 @@ on:
- cron: "0 2 * * 0" - cron: "0 2 * * 0"
merge_group: merge_group:
permissions: {}
jobs: jobs:
# Comprehensive security coverage: # Comprehensive security coverage:
# - govulncheck: Go-specific vulnerability scanning # - govulncheck: Go-specific vulnerability scanning
@@ -45,7 +47,7 @@ jobs:
name: Trivy Security Scan name: Trivy Security Scan
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: write # needed for Dependency Submission API (SBOM)
security-events: write security-events: write
steps: steps:
- name: Checkout repository - name: Checkout repository

7
.github/workflows/stale.yml vendored
View File

@@ -8,10 +8,7 @@ on:
workflow_call: workflow_call:
workflow_dispatch: workflow_dispatch:
permissions: permissions: {}
contents: read
packages: read
statuses: read
jobs: jobs:
stale: stale:
@@ -23,4 +20,4 @@ jobs:
issues: write issues: write
pull-requests: write pull-requests: write
steps: steps:
- uses: ivuorinen/actions/stale@6e8f2aae9d0846d901d9eba15b8e94a2900573dc # v2026.03.02 - uses: ivuorinen/actions/stale@4360ea39c744dbd52bf1d624bf058ba4dd81245a # v2026.03.09

5
.github/workflows/sync-labels.yml vendored
View File

@@ -20,8 +20,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: permissions: {}
contents: read
jobs: jobs:
labels: labels:
@@ -40,4 +39,4 @@ jobs:
fetch-depth: 0 fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
- name: ⤵️ Sync Latest Labels Definitions - name: ⤵️ Sync Latest Labels Definitions
uses: ivuorinen/actions/sync-labels@6e8f2aae9d0846d901d9eba15b8e94a2900573dc # v2026.03.02 uses: ivuorinen/actions/sync-labels@4360ea39c744dbd52bf1d624bf058ba4dd81245a # v2026.03.09

4
testdata/composite-action/action.yml vendored
View File

@@ -18,13 +18,13 @@ runs:
using: composite using: composite
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
fetch-depth: 0 fetch-depth: 0
token: ${{ github.token }} token: ${{ github.token }}
- name: Setup Node.js - name: Setup Node.js
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with: with:
node-version: ${{ inputs.node-version }} node-version: ${{ inputs.node-version }}
cache: 'npm' cache: 'npm'