66 workflow_dispatch :
77 push :
88
9- permissions :
10- contents : write
11- actions : read
12- security-events : write
13- packages : write
14-
15-
169jobs :
1710 golangci :
1811 name : lint
1912 runs-on : ubuntu-latest
13+ permissions :
14+ contents : read
2015 steps :
2116 - uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
2217 with :
2318 submodules : recursive
19+ persist-credentials : false
2420 - uses : actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - https://github.com/actions/setup-go/releases/tag/v5.5.0
2521 with :
26- go-version : ' 1.25.5 '
22+ go-version : ' 1.25.6 '
2723 cache : false
2824 - name : golangci-lint
2925 uses : golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 - https://github.com/golangci/golangci-lint-action/releases/tag/v8.0.0
@@ -34,16 +30,18 @@ jobs:
3430 tests :
3531 name : tests
3632 runs-on : ubuntu-latest
37-
33+ permissions :
34+ contents : read
3835 steps :
3936 - name : Check out code
4037 uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
4138 with :
4239 submodules : recursive
40+ persist-credentials : false
4341 - name : Set up Go
4442 uses : actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - https://github.com/actions/setup-go/releases/tag/v5.5.0
4543 with :
46- go-version : ' 1.25.5 '
44+ go-version : ' 1.25.6 '
4745
4846 - name : Run unittests
4947 run : go test $(go list ./... | grep -v "/mocks") -coverprofile=coverage.out && go tool cover -func=coverage.out
5654
5755 devguard :
5856 uses : l3montree-dev/devguard-action/.github/workflows/full.yml@main
57+ permissions :
58+ contents : write
59+ actions : read
60+ security-events : write
61+ packages : write
5962 with :
6063 asset-name : l3montree-cybersecurity/projects/devguard/assets/devguard
6164 api-url : https://api.main.devguard.org
7073
7174 build-scanner-image :
7275 uses : l3montree-dev/devguard-action/.github/workflows/build-image.yml@main
76+ permissions :
77+ contents : read
78+ packages : write
7379 with :
7480 artifact-name : " pkg:oci/scanner?repository_url=ghcr.io/l3montree-dev/devguard/scanner"
7581 asset-name : l3montree-cybersecurity/projects/devguard/assets/devguard
8389 # Image scanning job to detect vulnerabilities in the built Docker image
8490 scanner-container-scanning :
8591 uses : l3montree-dev/devguard-action/.github/workflows/container-scanning.yml@main
92+ permissions :
93+ contents : read
94+ security-events : write
8695 needs :
8796 - build-scanner-image
8897 with :
@@ -97,11 +106,14 @@ jobs:
97106 devguard-token : ${{ secrets.DEVGUARD_TOKEN }}
98107
99108 deploy-scanner :
100- needs :
109+ needs :
101110 - build-scanner-image
102111 - scanner-container-scanning
103112 - tests
104113 uses : l3montree-dev/devguard-action/.github/workflows/deploy.yml@main
114+ permissions :
115+ contents : read
116+ packages : write
105117 with :
106118 asset-name : l3montree-cybersecurity/projects/devguard/assets/devguard
107119 api-url : https://api.main.devguard.org
@@ -110,11 +122,14 @@ jobs:
110122 devguard-token : ${{ secrets.DEVGUARD_TOKEN }}
111123
112124 sign-scanner :
113- needs :
125+ needs :
114126 - build-scanner-image
115127 - scanner-container-scanning
116128 - tests
117129 uses : l3montree-dev/devguard-action/.github/workflows/sign.yml@main
130+ permissions :
131+ contents : read
132+ packages : write
118133 with :
119134 asset-name : l3montree-cybersecurity/projects/devguard/assets/devguard
120135 api-url : https://api.main.devguard.org
@@ -124,11 +139,14 @@ jobs:
124139 devguard-token : ${{ secrets.DEVGUARD_TOKEN }}
125140
126141 attest-scanner :
127- needs :
142+ needs :
128143 - build-scanner-image
129144 - scanner-container-scanning
130145 - tests
131146 uses : l3montree-dev/devguard-action/.github/workflows/attest.yml@main
147+ permissions :
148+ contents : read
149+ packages : write
132150 with :
133151 asset-name : l3montree-cybersecurity/projects/devguard/assets/devguard
134152 api-url : https://api.main.devguard.org
@@ -140,6 +158,8 @@ jobs:
140158 release :
141159 name : Build and Release Binaries
142160 runs-on : ubuntu-latest
161+ permissions :
162+ contents : write
143163 # needs: [golangci, tests, sign-scanner, devguard]
144164 if : startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/test-release'
145165 outputs :
@@ -149,16 +169,18 @@ jobs:
149169 uses : actions/checkout@v4
150170 with :
151171 fetch-depth : 0
172+ persist-credentials : false
152173
153174 - name : Set up Go
154175 uses : actions/setup-go@v5
155176 with :
156- go-version : ' 1.25'
177+ go-version : ' 1.25.6'
178+ cache : false
157179
158180 - name : Get tag
159181 id : tag
160182 run : |
161- if [[ "${{ github.ref } }" == refs/tags/* ]]; then
183+ if [[ "${GITHUB_REF }" == refs/tags/* ]]; then
162184 echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
163185 echo "TAG_NO_V=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
164186 else
@@ -170,7 +192,7 @@ jobs:
170192 mkdir -p dist
171193
172194 # Build flags for security-hardened binaries
173- BUILD_FLAGS="-s -w -buildid= -X main.version=${{ steps.tag.outputs.tag } } -X main.commit=${{ github.sha }} -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) -X main.builtBy=github-actions"
195+ BUILD_FLAGS="-s -w -buildid= -X main.version=${STEPS_TAG_OUTPUTS_TAG } -X main.commit=${{ github.sha }} -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) -X main.builtBy=github-actions"
174196
175197 # Build for Linux amd64
176198 GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="$BUILD_FLAGS" -o dist/devguard-scanner-linux-amd64 ./cmd/devguard-scanner
@@ -189,6 +211,8 @@ jobs:
189211
190212 # Build for macOS arm64
191213 GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="$BUILD_FLAGS" -o dist/devguard-scanner-darwin-arm64 ./cmd/devguard-scanner
214+ env :
215+ STEPS_TAG_OUTPUTS_TAG : ${{ steps.tag.outputs.tag }}
192216
193217 - name : Create archives
194218 run : |
@@ -231,7 +255,7 @@ jobs:
231255 "
232256
233257 - name : Create GitHub Release
234- uses : softprops/action-gh-release@v1
258+ uses : softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
235259 with :
236260 tag_name : ${{ steps.tag.outputs.tag }}
237261 name : " DevGuard Scanner ${{ steps.tag.outputs.tag }}"
0 commit comments