chore(deps): bump the github-actions-dependencies group with 2 updates

Bumps the github-actions-dependencies group with 2 updates: [hoverkraft-tech/ci-github-common](https://github.com/hoverkraft-tech/ci-github-common) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `hoverkraft-tech/ci-github-common` from 0.12.0 to 0.13.0 - [Release notes](https://github.com/hoverkraft-tech/ci-github-common/releases) - [Commits](hoverkraft-tech/ci-github-common@0.12.0...0.13.0) Updates `codecov/codecov-action` from 4.1.1 to 4.2.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v4.1.1...v4.2.0) --- updated-dependencies: - dependency-name: hoverkraft-tech/ci-github-common dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions-dependencies - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>
hoverkraft-tech · Apr 5, 2024 · e842cf2 · e842cf2
1 parent 77cd9af
commit e842cf2
Show file tree

Hide file tree

Showing 13 changed files with 79 additions and 31 deletions.
diff --git a/.github/workflows/__generate-dependabot-config.yml b/.github/workflows/__generate-dependabot-config.yml
@@ -4,11 +4,14 @@ on:
  push:
  branches:
  - main
+
+permissions:
+ contents: read
+
 jobs:
  generate-dependabot-config:
- uses: hoverkraft-tech/ci-github-common/.github/workflows/generate-dependabot-config.yml@0.12.1
+ uses: hoverkraft-tech/ci-github-common/.github/workflows/generate-dependabot-config.yml@0.13.1
  with:
  github-app-id: ${{ vars.CI_BOT_APP_ID }}
  secrets:
  github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
-
diff --git a/.github/workflows/__greetings.yml b/.github/workflows/__greetings.yml
@@ -6,6 +6,11 @@ on:
  pull_request_target:
  branches: [main]
 
+permissions:
+ contents: read
+ issues: write
+ pull-requests: write
+
 jobs:
  greetings:
- uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@0.12.1
+ uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@0.13.1
diff --git a/.github/workflows/__main-ci.yml b/.github/workflows/__main-ci.yml
@@ -5,6 +5,13 @@ on:
  branches: [main]
  tags: ["*"]
 
+permissions:
+ contents: read
+ security-events: write
+ statuses: write
+ # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
+ id-token: write
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
@@ -16,7 +23,7 @@ jobs:
 
  release:
  needs: ci
- uses: hoverkraft-tech/ci-github-common/.github/workflows/release-actions.yml@0.12.1
+ uses: hoverkraft-tech/ci-github-common/.github/workflows/release-actions.yml@0.13.1
  with:
  update-all: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) || github.event_name == 'workflow_dispatch' }}
  github-app-id: ${{ vars.CI_BOT_APP_ID }}

diff --git a/.github/workflows/__need-fix-to-issue.yml b/.github/workflows/__need-fix-to-issue.yml
@@ -6,16 +6,21 @@ on:
  - main
  workflow_dispatch:
  inputs:
+ #checkov:skip=CKV_GHA_7: required
  manual-commit-ref:
  description: "The SHA of the commit to get the diff for"
  required: true
  manual-base-ref:
  description: "By default, the commit entered above is compared to the one directly before it; to go back further, enter an earlier SHA here"
  required: false
 
+permissions:
+ contents: read
+ issues: write
+
 jobs:
  main:
- uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@0.12.1
+ uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@0.13.1
  with:
  manual-commit-ref: ${{ inputs.manual-commit-ref }}
  manual-base-ref: ${{ inputs.manual-base-ref }}
diff --git a/.github/workflows/__pull-request-ci.yml b/.github/workflows/__pull-request-ci.yml
@@ -5,6 +5,13 @@ on:
  pull_request:
  branches: [main]
 
+permissions:
+ contents: read
+ security-events: write
+ statuses: write
+ # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
+ id-token: write
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml
@@ -3,9 +3,16 @@ name: Internal - Common Continuous Integration tasks
 on:
  workflow_call:
 
+permissions:
+ contents: read
+ security-events: write
+ statuses: write
+ # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
+ id-token: write
+
 jobs:
  linter:
- uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@0.12.1
+ uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@0.13.1
 
  test-action-get-package-manager:
  name: Test action "get-package-manager"

diff --git a/.github/workflows/__stale.yml b/.github/workflows/__stale.yml
@@ -4,6 +4,10 @@ on:
  schedule:
  - cron: "30 1 * * *"
 
+permissions:
+ issues: write
+ pull-requests: write
+
 jobs:
  main:
- uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@0.12.0
+ uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@0.13.1
diff --git a/.github/workflows/__test-action-get-package-manager.yml b/.github/workflows/__test-action-get-package-manager.yml
@@ -3,6 +3,9 @@ name: Internal - Tests for "get-package-manager" action
 on:
  workflow_call:
 
+permissions:
+ contents: read
+
 jobs:
  test-yarn:
  name: Tests with Yarn package manager

diff --git a/.github/workflows/__test-action-has-installed-dependencies.yml b/.github/workflows/__test-action-has-installed-dependencies.yml
@@ -3,6 +3,9 @@ name: Internal - Tests for "has-installed-dependencies" action
 on:
  workflow_call:
 
+permissions:
+ contents: read
+
 jobs:
  test-yarn:
  name: Tests with Yarn package manager

diff --git a/.github/workflows/__test-action-setup-node.yml b/.github/workflows/__test-action-setup-node.yml
@@ -3,6 +3,9 @@ name: Internal - Tests for "setup-node" action
 on:
  workflow_call:
 
+permissions:
+ contents: read
+
 jobs:
  test-yarn:
  name: Tests with Yarn package manager

diff --git a/.github/workflows/__test-workflow-continuous-integration.yml b/.github/workflows/__test-workflow-continuous-integration.yml
@@ -3,8 +3,12 @@ name: Internal - Test Continuous integration workflow
 on:
  workflow_call:
 
+permissions:
+ contents: read
+ security-events: write
+ # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
+ id-token: write
+
 jobs:
  tests:
  uses: ./.github/workflows/continuous-integration.yml
- secrets:
- codecov-token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/continuous-integration.md b/.github/workflows/continuous-integration.md
@@ -27,24 +27,19 @@ on:
  pull_request:
  branches: [main]
 
+permissions:
+ contents: read
+ security-events: write
+ # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
+ id-token: write
+
 jobs:
  continuous-integration:
  uses: hoverkraft-tech/ci-github-nodejs/.github/workflows/continuous-integration.yml@0.4.2
- permissions:
- id-token: write
- security-events: write
- contents: read
 ```
 
 <!-- end usage -->
 <!-- start secrets -->
-
-## Secrets
-
-| **Secret** | **Description** | **Required** |
-| ------------------------------ | --------------------------------------------------------------- | ------------ |
-| **<code>codecov-token</code>** | Codecov token. See <https://github.com/codecov/codecov-action>. | **false** |
-
 <!-- end secrets -->
 <!-- start inputs -->
 

diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -41,10 +41,12 @@ on:
  type: string
  required: false
  default: "codecov"
- secrets:
- codecov-token:
- description: "Codecov token. See https://github.com/codecov/codecov-action."
- required: false
+
+permissions:
+ contents: read
+ security-events: write
+ # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
+ id-token: write
 
 jobs:
  code-ql:
@@ -54,7 +56,7 @@ jobs:
  security-events: write
  runs-on: "ubuntu-latest"
  steps:
- - uses: hoverkraft-tech/ci-github-common/actions/checkout@0.12.1
+ - uses: hoverkraft-tech/ci-github-common/actions/checkout@0.13.1
  - uses: github/codeql-action/init@v3.24.9
  with:
  languages: ${{ inputs.code-ql }}
@@ -73,7 +75,7 @@ jobs:
  steps:
  # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
  # jscpd:ignore-start
- - uses: hoverkraft-tech/ci-github-common/actions/checkout@0.12.1
+ - uses: hoverkraft-tech/ci-github-common/actions/checkout@0.13.1
 
  - id: oidc
  uses: ChristopherHX/oidc@v3
@@ -148,7 +150,7 @@ jobs:
  id-token: write
  steps:
  # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
- - uses: hoverkraft-tech/ci-github-common/actions/checkout@0.12.1
+ - uses: hoverkraft-tech/ci-github-common/actions/checkout@0.13.1
 
  - id: oidc
  uses: ChristopherHX/oidc@v3
@@ -182,7 +184,7 @@ jobs:
  id-token: write
  steps:
  # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
- - uses: hoverkraft-tech/ci-github-common/actions/checkout@0.12.1
+ - uses: hoverkraft-tech/ci-github-common/actions/checkout@0.13.1
  if: needs.setup.outputs.build-commands
 
  - id: oidc
@@ -243,7 +245,7 @@ jobs:
  id-token: write
  steps:
  # FIXME: This is a workaround for having workflow ref. See https://github.com/orgs/community/discussions/38659
- - uses: hoverkraft-tech/ci-github-common/actions/checkout@0.12.1
+ - uses: hoverkraft-tech/ci-github-common/actions/checkout@0.13.1
 
  - if: needs.setup.outputs.build-artifact
  uses: actions/download-artifact@v4
@@ -273,6 +275,6 @@ jobs:
 
  - name: 📊 Code coverage
  if: inputs.coverage == 'codecov'
- uses: codecov/codecov-action@v4.1.1
+ uses: codecov/codecov-action@v4.2.0
  with:
- token: ${{ secrets.codecov-token }}
+ use_oidc: true