ci: Constrain CI runner access (#357)

lubux · web-flow · commit 6097ee32c2fd · 2026-04-09T16:10:22.000+02:00
diff --git a/.github/actions/build-gosop/action.yml b/.github/actions/build-gosop/action.yml
@@ -16,7 +16,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout gopenpgp
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
       with:
         ref: ${{ inputs.gopenpgp-ref }}
         path: gopenpgp
@@ -32,7 +32,7 @@ runs:
       with:
         go-version: ^1.18
     - name: Check out gosop
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
       with:
         repository: ProtonMail/gosop
         ref: ${{ env.GOSOP_BRANCH_REF}}
diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
@@ -6,19 +6,22 @@ on:
   pull_request:
     branches: [ main, v3 ]
 
+permissions: {}
+
 jobs:
   build:
     name: Build library for Android with gomobile
     runs-on: ubuntu-latest
 
     steps:
-    - name: Set up JDK 1.8
-      uses: actions/setup-java@v1
+    - name: Set up JDK 8
+      uses: actions/setup-java@v5
       with:
-        java-version: 1.8
+        distribution: 'zulu'
+        java-version: 8
 
     - name: Set up Go 1.x
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
       with:
         go-version: ^1.16
       id: go
@@ -30,7 +33,7 @@ jobs:
         link-to-sdk: true
 
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     - name: Build
       run: |
@@ -41,7 +44,7 @@ jobs:
         find dist
 
     - name: Upload Android artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v7
       with:
         name: Android build
         path: dist/android
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -6,16 +6,18 @@ on:
   pull_request:
     branches: [ main, Proton ]
 
+permissions: {}
+
 jobs:
   test:
     name: Test with latest golang
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up latest golang
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: '^1.18'
 
@@ -26,10 +28,10 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version: '1.23'
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
diff --git a/.github/workflows/ios.yml b/.github/workflows/ios.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: [ main, v3 ]
 
+permissions: {}
+
 jobs:
   build:
     name: Build library for iOS with gomobile
@@ -19,13 +21,13 @@ jobs:
         id: xcode
 
       - name: Set up Go 1.x
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v6
         with:
           go-version: ^1.16
         id: go
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Build
         env:
@@ -35,7 +37,7 @@ jobs:
           find dist
 
       - name: Upload xcframework
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: gopenpgp.xcframework
           path: dist/apple/gopenpgp.xcframework
diff --git a/.github/workflows/sop-test-suite.yml b/.github/workflows/sop-test-suite.yml
@@ -4,21 +4,23 @@ on:
   pull_request:
     branches: [ main, v3 ]
 
+permissions: {}
+
 jobs:
 
   build-gosop:
     name: Build gosop from branch
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Build gosop from branch
         uses: ./.github/actions/build-gosop
         with: 
           binary-location: ./gosop-${{ github.sha }}
       # Upload as artifact
       - name: Upload gosop artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: gosop-${{ github.sha }}
           path: ./gosop-${{ github.sha }}
@@ -28,15 +30,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Build gosop from branch
         uses: ./.github/actions/build-gosop
         with: 
           gopenpgp-ref: ${{ github.base_ref }}
           binary-location: ./gosop-target
       # Upload as artifact
       - name: Upload gosop-target artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: gosop-target
           path: ./gosop-target
@@ -55,7 +57,7 @@ jobs:
       - build-gosop-target
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       # Fetch gosop from target
       - name: Download gosop-target
         uses: actions/download-artifact@v4
@@ -94,12 +96,12 @@ jobs:
          RESULTS_HTML: .github/test-suite/test-suite-results.html
       # Upload results
       - name: Upload test results json artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: test-suite-results.json
           path: .github/test-suite/test-suite-results.json
       - name: Upload test results html artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: test-suite-results.html
           path: .github/test-suite/test-suite-results.html
@@ -110,7 +112,7 @@ jobs:
     needs: test-suite
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Download test results json artifact
         id: download-test-results
         uses: actions/download-artifact@v4
