Skip to content

Commit 8813734

Browse files
authored
Improve the security of GitHub Action workflows (#4421)
1 parent b6d55c2 commit 8813734

13 files changed

Lines changed: 104 additions & 32 deletions

.github/dependabot.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ updates:
1212
directory: "/"
1313
schedule:
1414
interval: "weekly"
15+
cooldown:
16+
default-days: 7
1517
labels:
1618
- dependencies
1719
- github_actions

.github/workflows/check-rtw.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
# This workflow performs various validation steps for Cylc and Rose.
22
name: Check Recipe Test Workflow (RTW)
33

4+
permissions: {}
5+
46
# Controls when the action will run
57
on:
68
# Triggers the workflow on push events
@@ -36,10 +38,12 @@ jobs:
3638
# Checks-out your repository under $GITHUB_WORKSPACE, so your job
3739
# can access it
3840
- name: Checkout repository
39-
uses: actions/checkout@v6
41+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
42+
with:
43+
persist-credentials: false
4044

4145
- name: Setup Cylc
42-
uses: cylc/setup-cylc@v1
46+
uses: cylc/setup-cylc@99ce72c7841aa3f222420d2df16fa31a31f76fde # v1.0.1
4347
with:
4448
cylc_rose: true
4549

.github/workflows/check_links.yml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
name: Check Links for Documentation
22

3+
permissions: {}
4+
35
on:
46
# push:
57
# branches:
@@ -15,11 +17,13 @@ jobs:
1517
permissions:
1618
issues: write # Required for peter-evans/create-issue-from-file
1719
steps:
18-
- uses: actions/checkout@v6
20+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
21+
with:
22+
persist-credentials: false
1923

2024
- name: Link Checker
2125
id: lychee
22-
uses: lycheeverse/lychee-action@v2
26+
uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0
2327

2428
with:
2529
# This token is included to avoid github.com requests rate limiting
@@ -35,7 +39,7 @@ jobs:
3539

3640
- name: Create Issue From File
3741
if: steps.lychee.outputs.exit_code != 0
38-
uses: peter-evans/create-issue-from-file@v6
42+
uses: peter-evans/create-issue-from-file@fca9117c27cdc29c6c4db3b86c48e4115a786710 # v6.0.0
3943
with:
4044
title: "🔗 Link Checker Report - ${{ env.REPORT_DATE }}"
4145
content-filepath: ./lychee/out.md

.github/workflows/check_links_in_pr.yml

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
11
name: Link Checker for Pull requests
2+
3+
permissions: {}
4+
25
on:
36
pull_request:
47
branches:
@@ -9,10 +12,12 @@ jobs:
912
outputs:
1013
files: ${{ steps.changed-doc-files.outputs.all_changed_files }}
1114
steps:
12-
- uses: actions/checkout@v6
15+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
16+
with:
17+
persist-credentials: false
1318
- name: Get changed doc files
1419
id: changed-doc-files
15-
uses: tj-actions/changed-files@v47
20+
uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
1621
with:
1722
# Avoid using single or double quotes for multiline patterns
1823
files: |
@@ -28,12 +33,13 @@ jobs:
2833
file: ${{ fromJSON(needs.changedFiles.outputs.files) }}
2934
fail-fast: false
3035
steps:
31-
- uses: actions/checkout@v6
36+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3237
with:
3338
fetch-depth: 2
39+
persist-credentials: false
3440
- name: Link Checker for changed files
3541
id: lychee
36-
uses: lycheeverse/lychee-action@v2
42+
uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0
3743
with:
3844
# This token is included to avoid github.com requests rate limiting
3945
token: ${{ secrets.TOKEN_GITHUB }}

.github/workflows/citation_file_validator.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@
33

44
name: CFF File Validator
55

6+
permissions: {}
7+
68
on:
79
push:
810
paths:
@@ -17,9 +19,11 @@ jobs:
1719
if: github.event_name != 'schedule' || github.repository == 'ESMValGroup/ESMValTool' # avoid scheduled GHAs in forks
1820
steps:
1921
- name: Check out a copy of the repository
20-
uses: actions/checkout@v6
22+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
23+
with:
24+
persist-credentials: false
2125

2226
- name: Check whether the citation metadata from CITATION.cff is valid
23-
uses: citation-file-format/cffconvert-github-action@2.0.0
27+
uses: citation-file-format/cffconvert-github-action@4cf11baa70a673bfdf9dad0acc7ee33b3f4b6084 # 2.0.0
2428
with:
2529
args: "--validate"

.github/workflows/cron_esmvalbot_test.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
name: Run Esmvalbot Test
22

3+
permissions:
4+
contents: write
5+
pull-requests: write
6+
37
on:
48
# push:
59
# branches:
@@ -18,9 +22,10 @@ jobs:
1822
runs-on: 'ubuntu-latest'
1923
if: github.repository == 'ESMValGroup/ESMValTool' # avoid GAs in forks
2024
steps:
21-
- uses: actions/checkout@v6
25+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2226
with:
2327
fetch-depth: 0
28+
persist-credentials: false
2429
- name: Create empty commit on branch
2530
run: |
2631
git config user.name 'Valeriu Predoi'
@@ -30,7 +35,7 @@ jobs:
3035
# as comment in the PR
3136
# see https://github.com/marketplace/actions/create-pull-request
3237
- name: Create Auto PR
33-
uses: peter-evans/create-pull-request@v8
38+
uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
3439
with:
3540
token: ${{ secrets.GITHUB_TOKEN }}
3641
commit-message: empty message

.github/workflows/install-from-conda.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
---
22
name: Install from Conda
33

4+
permissions: {}
5+
46
# runs on a push on main and at the end of every day
57
on:
68
push:

.github/workflows/pypi-build-and-deploy.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
# Workflow from https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
22
name: Publish Python 🐍 distribution 📦 to PyPI and TestPyPI
33

4+
permissions: {}
5+
46
on:
57
release:
68
types: [published]
@@ -16,12 +18,12 @@ jobs:
1618
runs-on: ubuntu-latest
1719

1820
steps:
19-
- uses: actions/checkout@v6
21+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2022
with:
2123
fetch-depth: 0
2224
persist-credentials: false
2325
- name: Set up Python
24-
uses: actions/setup-python@v6
26+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
2527
with:
2628
python-version: "3.x"
2729
- name: Install pypa/build
@@ -33,7 +35,7 @@ jobs:
3335
- name: Build a binary wheel and a source tarball
3436
run: python3 -m build
3537
- name: Store the distribution packages
36-
uses: actions/upload-artifact@v7
38+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
3739
with:
3840
name: python-package-distributions
3941
path: dist/
@@ -53,9 +55,9 @@ jobs:
5355

5456
steps:
5557
- name: Download all the dists
56-
uses: actions/download-artifact@v8
58+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
5759
with:
5860
name: python-package-distributions
5961
path: dist/
6062
- name: Publish distribution 📦 to PyPI
61-
uses: pypa/gh-action-pypi-publish@v1.14.0
63+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

.github/workflows/run-tests-monitor.yml

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
---
22
name: Monitor Tests
3+
4+
permissions: {}
5+
36
on:
47
push:
58
branches:
@@ -24,14 +27,19 @@ jobs:
2427
strategy:
2528
fail-fast: false
2629
matrix:
27-
os: [ubuntu-latest, macos-latest]
28-
environment: [test-py312, test-py313]
30+
os:
31+
- ubuntu-latest
32+
- macos-latest
33+
environment:
34+
- test-py312
35+
- test-py313
2936
name: ${{ matrix.os }} ${{ matrix.environment }}
3037
steps:
31-
- uses: actions/checkout@v6
38+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3239
with:
3340
fetch-depth: 0
34-
- uses: prefix-dev/setup-pixi@v0.9.5
41+
persist-credentials: false
42+
- uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4
3543
with:
3644
frozen: true
3745
environments: ${{ matrix.environment }}
@@ -43,7 +51,7 @@ jobs:
4351
run: python tests/parse_pymon.py
4452
- name: Upload artifacts
4553
if: ${{ always() }} # upload artifacts even if fail
46-
uses: actions/upload-artifact@v7
54+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
4755
with:
4856
name: Test_reports_${{ matrix.os }}_${{ matrix.environment }}
4957
path: test-reports

.github/workflows/stale.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
name: Close stale issues and pull requests
22

3+
permissions: {}
4+
35
on:
46
schedule:
57
# Run once a day
@@ -10,7 +12,7 @@ jobs:
1012
if: "github.repository == 'ESMValGroup/ESMValTool'"
1113
runs-on: ubuntu-latest
1214
steps:
13-
- uses: actions/stale@v10
15+
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
1416
with:
1517
days-before-issue-stale: 1080
1618
days-before-pr-stale: 360

0 commit comments

Comments
 (0)