From 0589c33a1624618842ae6b5a4e870a32b41305a3 Mon Sep 17 00:00:00 2001 From: Joonas Hiltunen Date: Mon, 8 Dec 2025 15:34:12 +0200 Subject: [PATCH] Add permissions for workflows and update 3rd party actions --- .github/workflows/cd.yml | 7 +++++-- .github/workflows/check-renovatebot-config.yml | 5 ++++- .github/workflows/ci.yml | 7 +++++-- .github/workflows/ktlint.yml | 9 ++++++--- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 58e8099..77544a0 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -4,10 +4,13 @@ on: push: branches: - main - - "releases/**" + - releases/** pull_request: workflow_dispatch: +permissions: + contents: read + jobs: run_unit_tests: name: Run unit tests @@ -25,7 +28,7 @@ jobs: permissions: id-token: write contents: read - uses: HSLdevcom/jore4-tools/.github/workflows/shared-build-and-publish-docker-image.yml@shared-build-and-publish-docker-image-v1 + uses: HSLdevcom/jore4-tools/.github/workflows/shared-build-and-publish-docker-image.yml@shared-build-and-publish-docker-image-v6 with: docker_image_name: jore4-auth build_arm64_image: true diff --git a/.github/workflows/check-renovatebot-config.yml b/.github/workflows/check-renovatebot-config.yml index 1eb9de0..66402ae 100644 --- a/.github/workflows/check-renovatebot-config.yml +++ b/.github/workflows/check-renovatebot-config.yml @@ -3,9 +3,12 @@ name: Check renovatebot config on: pull_request: +permissions: + contents: read + jobs: validate: name: Validate renovatebot config - uses: HSLdevcom/jore4-tools/.github/workflows/shared-check-renovatebot-config.yml@shared-check-renovatebot-config-v1 + uses: HSLdevcom/jore4-tools/.github/workflows/shared-check-renovatebot-config.yml@shared-check-renovatebot-config-v2 with: config_file_path: .github/renovate.json5 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0df558c..ff8e9d7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,9 @@ on: # this workflow is only called by others, won't be executed on itself workflow_call: +permissions: + contents: read + jobs: tests: name: Run auth backend tests @@ -11,10 +14,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@v5 with: java-version: "17" java-package: jdk diff --git a/.github/workflows/ktlint.yml b/.github/workflows/ktlint.yml index 9f7e6ec..806f898 100644 --- a/.github/workflows/ktlint.yml +++ b/.github/workflows/ktlint.yml @@ -1,8 +1,11 @@ -name: 'ktlint' +name: ktlint on: # this workflow is only called by others, won't be executed on itself workflow_call: +permissions: + contents: read + jobs: spotless: name: Check code is formatted with ktlint @@ -10,10 +13,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@v5 with: java-version: "17" java-package: jdk