ci: tighten security of checkout action

foosel · foosel · commit 4b9f0811bce2 · 2026-03-04T16:36:46.000+01:00
diff --git a/.github/workflows/publish-to-github-pages.yml b/.github/workflows/publish-to-github-pages.yml
@@ -2,7 +2,7 @@ name: Build, validate & deploy page
 
 on:
   schedule:
-    - cron: '0 */1 * * *'
+    - cron: "0 */1 * * *"
   push:
     branches:
       - gh-pages
@@ -22,7 +22,9 @@ jobs:
     name: Build and validate
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: 🐍 Set up Python 3.11
         uses: actions/setup-python@v4
@@ -64,9 +66,9 @@ jobs:
       - name: 💎 Set up Ruby 3
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '3.4'
+          ruby-version: "3.4"
           bundler-cache: true
-      
+
       - name: 🔨 Build page
         run: |
           bundle exec jekyll build --future --trace
@@ -100,15 +102,15 @@ jobs:
           DISCORD_WEBHOOK: ${{ secrets.discord_webhook }}
         uses: Ilshidur/action-discord@master
         with:
-          args: '☑️ Page build for plugins.octoprint.org was successful'
+          args: "☑️ Page build for plugins.octoprint.org was successful"
 
       - name: 📧 Discord failure notification
         if: failure() && github.repository == 'OctoPrint/plugins.octoprint.org' && github.event_name != 'pull_request'
         env:
           DISCORD_WEBHOOK: ${{ secrets.discord_webhook }}
         uses: Ilshidur/action-discord@master
         with:
-          args: '🚫 Page build for plugins.octoprint.org failed'
+          args: "🚫 Page build for plugins.octoprint.org failed"
 
   deploy:
     name: "Deploy"
diff --git a/.github/workflows/validate-pull-requests.yml b/.github/workflows/validate-pull-requests.yml
@@ -7,16 +7,18 @@ jobs:
     name: Validate changed plugin files
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
         with:
           path: src
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
+          persist-credentials: false
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
         with:
           path: current
           ref: gh-pages
+          persist-credentials: false
 
       - name: 🐍 Set up Python 3.11
         uses: actions/setup-python@v4
