Skip to content

Commit 2683575

Browse files
author
Thomas De Meyer
authored
Merge pull request #50 from labd/pin-actions
Add pinact and zizmor workflow checks
2 parents 8e92199 + 96ce261 commit 2683575

7 files changed

Lines changed: 97 additions & 20 deletions

File tree

.github/dependabot.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ updates:
1111
go:
1212
patterns:
1313
- "*"
14+
cooldown:
15+
default-days: 7
1416

1517
- package-ecosystem: "github-actions"
1618
directory: "/"
@@ -23,3 +25,5 @@ updates:
2325
github-actions:
2426
patterns:
2527
- "*"
28+
cooldown:
29+
default-days: 7

.github/workflows/dependabot-changie.yaml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -12,24 +12,26 @@ permissions:
1212
jobs:
1313
dependabot-changie:
1414
runs-on: ubuntu-latest
15-
if: github.actor == 'dependabot[bot]'
15+
if: github.event.pull_request.user.login == 'dependabot[bot]'
1616
steps:
1717
- name: Checkout
18-
uses: actions/checkout@v4
18+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
19+
with:
20+
persist-credentials: false
1921

2022
- name: Fetch Dependabot metadata
2123
id: dependabot-metadata
22-
uses: dependabot/fetch-metadata@v2
24+
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
2325
with:
2426
github-token: "${{ secrets.GITHUB_TOKEN }}"
2527

2628
- name: Create change file
27-
uses: miniscruff/changie-action@v2
29+
uses: miniscruff/changie-action@6dcc2533cac0495148ed4046c438487e4dceaa23 # v2.0.0
2830
with:
2931
version: latest
3032
args: new --body "${{ github.event.pull_request.title }}" --kind Dependency
3133

32-
- uses: stefanzweifel/git-auto-commit-action@v7-next
34+
- uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
3335
with:
3436
commit_message: "chore(deps): add changelog for dependabot updates"
3537
commit_user_name: "dependabot[bot]"

.github/workflows/pinact.yaml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
name: Pinact
2+
3+
on:
4+
push:
5+
branches: ["main"]
6+
pull_request:
7+
branches: ["**"]
8+
paths:
9+
- ".github/workflows/**"
10+
- ".github/actions/**"
11+
12+
permissions: {}
13+
14+
jobs:
15+
pinact:
16+
# Only run on pull requests from the same repository
17+
if: github.event.pull_request.head.repo.full_name == github.repository
18+
runs-on: ubuntu-latest
19+
permissions:
20+
contents: read
21+
steps:
22+
- name: Checkout
23+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
24+
with:
25+
persist-credentials: false
26+
27+
- name: Pin actions
28+
uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
29+
with:
30+
skip_push: true
31+
verify: true
32+
min_age: 7

.github/workflows/release.yaml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,24 +7,26 @@ jobs:
77
runs-on: ubuntu-latest
88
steps:
99
- name: Checkout
10-
uses: actions/checkout@v4
10+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1111
with:
1212
fetch-depth: 0
13+
persist-credentials: false
1314

1415
- name: Set up Go
15-
uses: actions/setup-go@v5
16+
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
1617
with:
1718
go-version-file: go.mod
19+
cache: false
1820

1921
- name: Import GPG key
2022
id: import_gpg
21-
uses: paultyng/ghaction-import-gpg@v2.1.0
23+
uses: paultyng/ghaction-import-gpg@53deb67fe3b05af114ad9488a4da7b782455d588 # v2.1.0
2224
env:
2325
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
2426
PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
2527

2628
- name: Run GoReleaser
27-
uses: goreleaser/goreleaser-action@v6
29+
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
2830
with:
2931
version: latest
3032
args: release --clean

.github/workflows/tests.yaml

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -11,12 +11,14 @@ jobs:
1111
generate:
1212
runs-on: ubuntu-latest
1313
steps:
14-
- uses: actions/checkout@v4
15-
- uses: actions/setup-go@v5
14+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
15+
with:
16+
persist-credentials: false
17+
- uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
1618
with:
1719
go-version-file: 'go.mod'
1820
cache: true
19-
- uses: hashicorp/setup-terraform@v3
21+
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
2022
- run: go generate ./...
2123
- name: git diff
2224
run: |
@@ -26,25 +28,27 @@ jobs:
2628
test:
2729
runs-on: ubuntu-latest
2830
steps:
29-
- uses: actions/checkout@v4
31+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
32+
with:
33+
persist-credentials: false
3034

3135
- name: Set up Go
32-
uses: actions/setup-go@v5
36+
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
3337
with:
3438
go-version-file: 'go.mod'
3539
cache: true
3640

3741
- name: golangci-lint
3842
continue-on-error: true
39-
uses: golangci/golangci-lint-action@v6
43+
uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
4044
with:
4145
args: --issues-exit-code=0 --timeout=5m
4246

4347
- name: Run tests
4448
run: go test -race -coverprofile=coverage.out -covermode=atomic -coverpkg=./... -v ./...
4549

4650
- name: Upload to codecov
47-
uses: codecov/codecov-action@v5
51+
uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4
4852
with:
4953
verbose: true
5054

@@ -57,12 +61,13 @@ jobs:
5761
pull-requests: write
5862
actions: write
5963
steps:
60-
- uses: actions/checkout@v4
64+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
6165
with:
6266
fetch-depth: 0
67+
persist-credentials: false
6368

6469
- name: Prepare release
65-
uses: labd/changie-release-action@v0.6.0
70+
uses: labd/changie-release-action@ac4d65e736733f1d2c363dd5d99b43a1add5aaef # v0.6.0
6671
with:
6772
github-token: ${{ secrets.GITHUB_TOKEN }}
6873
release-workflow: 'release.yaml'

.github/workflows/triage.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,13 +15,13 @@ jobs:
1515
steps:
1616
- name: get app token
1717
id: get-app-token
18-
uses: labd/action-gh-app-token@main
18+
uses: labd/action-gh-app-token@570381a08efe9c961806a3a3bc5882af5f50ef6a # v0.1.0
1919
with:
2020
app-id: ${{ secrets.RD_APP_ID }}
2121
private-key: ${{ secrets.RD_APP_PRIVATE_KEY }}
2222
installation-id: ${{ secrets.RD_APP_INSTALLATION_ID }}
2323
- name: set to project board
24-
uses: actions/add-to-project@v1.0.2
24+
uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
2525
with:
2626
project-url: https://github.com/orgs/labd/projects/3
2727
github-token: ${{ steps.get-app-token.outputs.app-token }}

.github/workflows/zizmor.yaml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
name: Zizmor
2+
3+
on:
4+
push:
5+
branches: ["main"]
6+
pull_request:
7+
branches: ["**"]
8+
paths:
9+
- ".github/workflows/**"
10+
- ".github/actions/**"
11+
12+
permissions: {}
13+
14+
jobs:
15+
zizmor:
16+
name: Run zizmor
17+
runs-on: ubuntu-latest
18+
permissions:
19+
contents: read
20+
actions: read
21+
steps:
22+
- name: Checkout repository
23+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
24+
with:
25+
persist-credentials: false
26+
27+
- name: Run zizmor
28+
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
29+
with:
30+
advanced-security: false
31+
annotations: true
32+
min-severity: high

0 commit comments

Comments
 (0)