pin versions, improve permissions

grafana · Nov 27, 2024 · 6c9a7d8 · 6c9a7d8
1 parent 129410e
commit 6c9a7d8
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 7 deletions.
diff --git a/.github/workflows/deploy-pr-preview.yml b/.github/workflows/deploy-pr-preview.yml
@@ -6,13 +6,15 @@ on:
       - opened
       - synchronize
       - closed
+    # paths:
+    #   - "docs/sources/**"
 
 jobs:
   deploy-pr-preview:
     uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@robbymilo/deploy-preview
     with:
       sha: ${{ github.event.pull_request.head.sha }}
-      branch: ${{ github.ref_name }}
+      branch: ${{ github.head_ref }}
       event_number: ${{ github.event.number }}
       title: ${{ github.event.pull_request.title }}
       repo: writers-toolkit

diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
@@ -32,8 +32,9 @@ env:
   CLOUD_RUN_REGION: us-south1
 
 permissions:
-  contents: read
-  id-token: write
+  id-token: write # Needed for authentication.
+  statuses: write # Needed to send deploy preview link as a commit status.
+  pull-requests: write # Needed to add/update a comment with the deploy preview link.
 
 concurrency:
   group: ${{ github.workflow }}-${{ inputs.repo }}-${{ github.event.pull_request.number || github.ref }}
@@ -63,7 +64,7 @@ jobs:
           body: |
             :building_construction: Updating deploy preview...
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         if: github.event.action != 'closed'
 
       # get the Dockerfile and nginx conf
@@ -128,14 +129,14 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           file: ./deploy-preview-files/deploy-preview/Dockerfile
 
-      - uses: "google-github-actions/auth@v2.1.6"
+      - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
         id: gcloud-auth-cloud-run
         with:
           workload_identity_provider: "projects/304398677251/locations/global/workloadIdentityPools/github/providers/github-provider"
           service_account: "github-docs-cloud-run-dev@grafanalabs-workload-identity.iam.gserviceaccount.com"
 
       - name: Deploy to Cloud Run
-        uses: "google-github-actions/deploy-cloudrun@v2.7.2"
+        uses: google-github-actions/deploy-cloudrun@1ec29da1351112c7904fb60454a55e3e1021a51c # v2.7.2
         if: github.event.action != 'closed'
         id: deploy
         with:
@@ -157,7 +158,7 @@ jobs:
           gcloud run services delete deploy-preview-${{ inputs.repo }}-${{ inputs.event_number }} --region=${{ env.CLOUD_RUN_REGION }} --project=grafanalabs-dev --quiet
 
       - name: Send commit status
-        uses: ouzi-dev/commit-status-updater@v2
+        uses: ouzi-dev/commit-status-updater@26588d166ff273fc4c0664517359948f7cdc9bf1 # v2.0.2
         if: github.event.action != 'closed'
         with:
           name: deploy_preview