Action audit

Author: MatteoH2O1999

.github/workflows/check.yml

@@ -8,11 +8,10 @@ on:
         description: Specific version to check
         type: string
       allow-prereleases:
-          required: true
-          default: false
-          description: Include prereleases in the check
-          type: boolean
-
+        required: true
+        default: false
+        description: Include prereleases in the check
+        type: boolean
 
 jobs:
   test_python_build:
@@ -26,6 +25,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           submodules: recursive
       - name: Test action with Python ${{ inputs.python-version }}
         id: build
@@ -35,4 +35,4 @@ jobs:
           allow-build: info
           allow-prereleases: ${{ inputs.allow-prereleases }}
       - name: Check Python version
-        run: python ./.github/scripts/check_python_version.py ${{ inputs.python-version }}
+        run: python ./.github/scripts/check_python_version.py ${{ inputs.python-version }}

.github/workflows/periodic_check.yml

@@ -4,7 +4,6 @@ on:
   schedule:
     - cron: 0 0 * * *
   workflow_dispatch:
-      
 
 jobs:
   # Create strategy matrix with a python script
@@ -17,6 +16,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           submodules: recursive
       - name: Update pip
         run: python -m pip install --upgrade pip
@@ -27,7 +27,7 @@ jobs:
       - name: Create matrix
         id: matrix
         run: python ./.github/scripts/create_python_matrix.py true
-  
+
   # Test the action with all possible combinations of python versions and os
   test_action:
     needs: create_matrix
@@ -40,6 +40,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           submodules: recursive
       - name: Setup Python ${{ matrix.python-version }}
         uses: MatteoH2O1999/setup-python@v5
@@ -48,4 +49,4 @@ jobs:
           allow-build: info
           cache-build: ${{ matrix.cache }}
       - name: Check Python version
-        run: python ./.github/scripts/check_python_version.py ${{ matrix.python-version }}
+        run: python ./.github/scripts/check_python_version.py ${{ matrix.python-version }}

.github/workflows/release.yml

@@ -10,8 +10,10 @@ jobs:
   update_tags:
     runs-on: ubuntu-latest
     name: Update version tags
+    permissions:
+      contents: write
     steps:
       - name: Update tags
         uses: actions/publish-action@v0.3.0
         with:
-          source-tag: ${{ github.event.release.tag_name }}
+          source-tag: ${{ github.event.release.tag_name }}

.github/workflows/test.yml

@@ -22,6 +22,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           submodules: recursive
       - name: Update pip
         run: python -m pip install --upgrade pip
@@ -32,7 +33,7 @@ jobs:
       - name: Create matrix
         id: matrix
         run: python ./.github/scripts/create_python_matrix.py false
-  
+
   # Test the action with all possible combinations of python versions and os
   test_action:
     needs: create_matrix
@@ -45,11 +46,12 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           submodules: recursive
       - name: Setup Python ${{ matrix.python-version }}
         uses: ./
         with:
           python-version: ${{ matrix.python-version }}
           allow-build: info
       - name: Check Python version
-        run: python ./.github/scripts/check_python_version.py ${{ matrix.python-version }}
+        run: python ./.github/scripts/check_python_version.py ${{ matrix.python-version }}