Skip to content

Commit b8b24c0

Browse files
aperezdcaperezdc
committed
CI: Restrict permissions, pin action revisions
1 parent e77612e commit b8b24c0

1 file changed

Lines changed: 13 additions & 7 deletions

File tree

.github/workflows/build.yml

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ on:
1010

1111
jobs:
1212
build:
13+
name: Build
14+
permissions: { }
1315
runs-on: ubuntu-24.04
1416
strategy:
1517
matrix:
@@ -21,21 +23,23 @@ jobs:
2123
- "luajit-2.1"
2224
steps:
2325
- name: Checkout
24-
uses: actions/checkout@v6
26+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
27+
with:
28+
persist-credentials: false
2529
- name: Cache Dependencies
26-
uses: actions/cache@v5
30+
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306
2731
with:
2832
path: |
2933
.lua/
3034
.luarocks/
3135
key: ${{ runner.os }}-${{ matrix.lua }}-${{ hashFiles('.github/workflows/build.yml') }}
3236
- name: Setup Lua
33-
uses: leafo/gh-actions-lua@v12
37+
uses: leafo/gh-actions-lua@8c9e175e7a3d77e21f809eefbee34a19b858641b
3438
if: steps.cache.outputs.cache-hit != 'true'
3539
with:
3640
luaVersion: ${{ matrix.lua }}
3741
- name: Setup LuaRocks
38-
uses: leafo/gh-actions-luarocks@v6
42+
uses: leafo/gh-actions-luarocks@97053c556d6ce2c8e26eb7ac93743437c7af7248
3943
- name: Dependencies
4044
run: |-
4145
luarocks install --only-deps $(find luarocks -name '*-scm-*.rockspec' | sort -g | tail -1)
@@ -49,16 +53,18 @@ jobs:
4953
- name: Coverage Report
5054
run: |
5155
luacov-coveralls --dryrun -e '.luarocks/' -e spec/ -e luarocks/ -i wcwidth/ -i wcwidth.lua -o coveralls.json -v
52-
- name: Coveralls
53-
uses: coverallsapp/github-action@v2
56+
- name: Report Coverage
57+
uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b
5458
with:
5559
parallel: true
5660
file: coveralls.json
5761
finish:
62+
name: Aggregate Coverage
63+
permissions: { }
5864
runs-on: ubuntu-24.04
5965
needs: [build]
6066
if: ${{ always() }}
6167
steps:
62-
- uses: coverallsapp/github-action@v2
68+
- uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b
6369
with:
6470
parallel-finished: true

0 commit comments

Comments
 (0)