diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 292fc9c..f491d0a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,11 +6,13 @@ on: - main pull_request: +permissions: {} + jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4f29a23..1085648 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,18 +5,17 @@ on: name: release -permissions: - # Used to sign the release's artifacts with sigstore-python. - id-token: write - - # Used to attach signing artifacts to the published release. - contents: write +permissions: {} jobs: release: runs-on: ubuntu-latest + permissions: + id-token: write # Used to sign the artifacts. + contents: write # Used to attach signing artifacts to the release. + steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/.github/workflows/schedule-selftest.yml b/.github/workflows/schedule-selftest.yml index 86551e1..d759c4d 100644 --- a/.github/workflows/schedule-selftest.yml +++ b/.github/workflows/schedule-selftest.yml @@ -2,17 +2,19 @@ name: Scheduled self-test on: schedule: - - cron: '0 12 * * *' # Every day at 1200 UTC + - cron: "0 12 * * *" # Every day at 1200 UTC + +permissions: {} jobs: run-selftests: permissions: - id-token: write + id-token: write # for OIDC in selftest uses: ./.github/workflows/selftest.yml open-issue: permissions: - issues: write + issues: write # for opening the issue runs-on: ubuntu-latest if: ${{ failure() }} diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index c9761e6..ba65790 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -13,7 +13,7 @@ permissions: {} jobs: selftest: permissions: - id-token: write + id-token: write # selftest strategy: matrix: os: @@ -25,10 +25,10 @@ jobs: runs-on: ${{ matrix.os }} if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v5 + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 if: ${{ matrix.os != 'ubuntu-latest' }} with: python-version: "3.x" @@ -45,7 +45,7 @@ jobs: selftest-runner-python: permissions: - id-token: write + id-token: write # selftest strategy: matrix: os: @@ -55,7 +55,7 @@ jobs: runs-on: ${{ matrix.os }} if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Sign artifact and publish signature @@ -71,7 +71,7 @@ jobs: selftest-whitespace: permissions: - id-token: write + id-token: write # selftest strategy: matrix: os: @@ -81,10 +81,10 @@ jobs: runs-on: ${{ matrix.os }} if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v5 + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 if: ${{ matrix.os != 'ubuntu-latest' }} with: python-version: "3.x" @@ -106,7 +106,7 @@ jobs: selftest-xfail-invalid-inputs: permissions: - id-token: write + id-token: write # selftest runs-on: ubuntu-latest strategy: matrix: @@ -117,7 +117,7 @@ jobs: - "/tmp/extremely-nonexistent-file" if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Sign artifact and publish signature @@ -138,11 +138,11 @@ jobs: selftest-staging: permissions: - id-token: write + id-token: write # selftest runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Sign artifact and publish signature @@ -158,11 +158,11 @@ jobs: selftest-glob: permissions: - id-token: write + id-token: write # selftest runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Sign artifacts and publish signatures @@ -180,13 +180,13 @@ jobs: selftest-xfail-glob-input-expansion: permissions: - id-token: write + id-token: write # selftest runs-on: ubuntu-latest env: TEST_DIR: test if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Sign artifacts and publish signatures @@ -210,11 +210,11 @@ jobs: selftest-glob-multiple: permissions: - id-token: write + id-token: write # selftest runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Sign artifacts and publish signatures @@ -237,11 +237,11 @@ jobs: selftest-upload-artifacts: permissions: - id-token: write + id-token: write # selftest runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Sign artifact and publish signature @@ -252,7 +252,7 @@ jobs: staging: true upload-signing-artifacts: true internal-be-careful-debug: true - - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v4 + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: "signing-artifacts-${{ github.job }}" path: ./test/uploaded @@ -264,11 +264,11 @@ jobs: selftest-verify: permissions: - id-token: write + id-token: write # selftest runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Sign artifact and publish signature @@ -284,7 +284,7 @@ jobs: selftest-xfail-verify-missing-options: permissions: - id-token: write + id-token: write # selftest runs-on: ubuntu-latest strategy: matrix: @@ -308,7 +308,7 @@ jobs: if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Sign artifact and publish signature @@ -334,11 +334,11 @@ jobs: selftest-identity-token: permissions: - id-token: write + id-token: write # selftest runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Get OIDC token diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index d9c51f6..db3fe46 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -2,13 +2,17 @@ on: pull_request: {} push: branches: - - main - - master + - main + - master paths: - - .github/workflows/semgrep.yml + - .github/workflows/semgrep.yml schedule: - - cron: '0 0 * * 0' + - cron: "0 0 * * 0" + +permissions: {} + name: Semgrep + jobs: semgrep: name: Scan @@ -16,10 +20,10 @@ jobs: env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: - image: semgrep/semgrep + image: semgrep/semgrep:1.138.0 steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - run: semgrep ci diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index e821246..2eeccac 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -6,18 +6,17 @@ on: pull_request: branches: ["**"] +permissions: {} + jobs: zizmor: name: zizmor latest via PyPI runs-on: ubuntu-latest permissions: - security-events: write - # required for workflows in private repositories - contents: read - actions: read + security-events: write # for uploading the sarif file steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false diff --git a/action.yml b/action.yml index 9f41ffd..7321297 100644 --- a/action.yml +++ b/action.yml @@ -101,7 +101,7 @@ runs: GHA_SIGSTORE_PYTHON_INPUTS: "${{ inputs.inputs }}" shell: bash - - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: inputs.upload-signing-artifacts == 'true' with: name: "signing-artifacts-${{ github.job }}"