Skip to content

Commit ca5fa8d

Browse files
authored
chore: harden GitHub Actions workflows by following security best practices and update some readmes (#352)
1 parent 61e1439 commit ca5fa8d

12 files changed

Lines changed: 96 additions & 36 deletions

.github/ISSUE_TEMPLATE/bug_report.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ assignees: ''
77

88
---
99

10-
# Contributing to libphonenumber-csharp
10+
# Bug report
1111

1212
Thanks for contributing to libphonenumber-csharp!
1313

.github/ISSUE_TEMPLATE/config.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
blank_issues_enabled: true
2+
contact_links:
3+
- name: Phone number metadata / region issue
4+
url: https://github.com/google/libphonenumber/issues
5+
about: >-
6+
This library uses the phone number metadata verbatim from Google's
7+
upstream libphonenumber. Issues about a specific region's numbering,
8+
validation rules, or formatting must be filed with Google — they are
9+
synced here automatically and cannot be fixed in this repository.
10+
- name: Reproduce on the Google demo first
11+
url: https://libphonenumber.appspot.com
12+
about: >-
13+
If the behaviour also reproduces on Google's official demo, it is an
14+
upstream issue and should be reported to google/libphonenumber.
Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
---
2+
name: Feature request
3+
about: Suggest an idea or enhancement for this library
4+
title: ''
5+
labels: enhancement
6+
assignees: ''
7+
8+
---
9+
10+
# Feature request
11+
12+
Thanks for contributing to libphonenumber-csharp!
13+
14+
> [!IMPORTANT]
15+
> This library is a faithful C# port of Google's
16+
> [libphonenumber](https://github.com/google/libphonenumber). Changes to phone
17+
> number parsing/validation/formatting behaviour or to region metadata belong
18+
> upstream with Google and will be picked up here automatically. This tracker is
19+
> for C#-specific API, packaging, and porting requests.
20+
21+
## Is your feature request related to a problem?
22+
23+
A clear and concise description of what the problem is. E.g. This port is missing
24+
[...]".
25+
26+
## Describe the solution you'd like
27+
28+
A clear and concise description of what you want to happen, including the
29+
proposed API surface if relevant.
30+
31+
## Describe alternatives you've considered
32+
33+
A clear and concise description of any alternative solutions or workarounds
34+
you've considered.
35+
36+
## Additional context
37+
38+
Add any other context, code snippets, or references to the upstream Java
39+
behaviour here.

.github/workflows/build_and_run_demo_tests.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,14 +16,17 @@ concurrency:
1616
group: ${{ github.workflow }}-${{ github.ref }}
1717
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
1818

19+
permissions:
20+
contents: read
21+
1922
jobs:
2023
build_and_run_demo_tests:
2124
runs-on: ubuntu-latest
2225
timeout-minutes: 20
2326
steps:
24-
- uses: actions/checkout@v6
27+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
2528
- name: Setup .NET
26-
uses: actions/setup-dotnet@v5
29+
uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5
2730
with:
2831
dotnet-version: 10.x
2932
- name: Restore dependencies

.github/workflows/build_and_run_unit_tests_linux.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,14 +9,17 @@ concurrency:
99
group: ${{ github.workflow }}-${{ github.ref }}
1010
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
1111

12+
permissions:
13+
contents: read
14+
1215
jobs:
1316
build_and_run_unit_tests_linux:
1417
runs-on: ubuntu-latest
1518
timeout-minutes: 20
1619
steps:
17-
- uses: actions/checkout@v6
20+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
1821
- name: Setup .NET
19-
uses: actions/setup-dotnet@v5
22+
uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5
2023
with:
2124
dotnet-version: 10.x
2225
- name: Restore dependencies

.github/workflows/codeql.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -42,13 +42,13 @@ jobs:
4242
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
4343
steps:
4444
- name: Checkout repository
45-
uses: actions/checkout@v6
45+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
4646
- name: Setup .NET
47-
uses: actions/setup-dotnet@v5
47+
uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5
4848
with:
4949
dotnet-version: 10.x
5050
- name: Initialize CodeQL
51-
uses: github/codeql-action/init@v4.36.0
51+
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
5252
with:
5353
languages: ${{ matrix.language }}
5454
build-mode: ${{ matrix.build-mode }}
@@ -73,6 +73,6 @@ jobs:
7373
dotnet build
7474
7575
- name: Perform CodeQL Analysis
76-
uses: github/codeql-action/analyze@v4.36.0
76+
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
7777
with:
7878
category: "/language:${{matrix.language}}"

.github/workflows/create_new_release_on_new_metadata_update.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,13 +11,18 @@ concurrency:
1111
group: ${{ github.workflow }}-${{ github.ref }}
1212
cancel-in-progress: false
1313

14+
# Elevated above the read-only default because the update script pushes a commit
15+
# and creates a GitHub release via GITHUB_TOKEN.
16+
permissions:
17+
contents: write
18+
1419
jobs:
1520
create_new_release_on_new_metadata_update:
1621
runs-on: ubuntu-latest
1722
steps:
18-
- uses: actions/checkout@v6
23+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
1924
- name: Setup .NET
20-
uses: actions/setup-dotnet@v5
25+
uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5
2126
with:
2227
dotnet-version: 9.x
2328
- name: Get new metadata information and create new GitHub release

.github/workflows/deploy-demo.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -30,9 +30,9 @@ jobs:
3030
url: ${{ steps.deployment.outputs.page_url }}
3131
runs-on: ubuntu-latest
3232
steps:
33-
- uses: actions/checkout@v6
33+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
3434

35-
- uses: actions/setup-dotnet@v5
35+
- uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
3636
with:
3737
dotnet-version: 10.x
3838

@@ -46,11 +46,11 @@ jobs:
4646
cp release/wwwroot/index.html release/wwwroot/404.html
4747
touch release/wwwroot/.nojekyll
4848
49-
- uses: actions/configure-pages@v5
49+
- uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
5050

51-
- uses: actions/upload-pages-artifact@v5
51+
- uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
5252
with:
5353
path: release/wwwroot
5454

5555
- id: deployment
56-
uses: actions/deploy-pages@v5
56+
uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0

.github/workflows/post_performance_test_comment.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,15 +22,15 @@ jobs:
2222
runs-on: ubuntu-latest
2323
steps:
2424
- name: Download benchmark artifact
25-
uses: actions/download-artifact@v8
25+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
2626
with:
2727
name: benchmark-results
2828
path: benchmark-artifact
2929
run-id: ${{ github.event.workflow_run.id }}
3030
github-token: ${{ secrets.GITHUB_TOKEN }}
3131

3232
- name: Post benchmark results to PR
33-
uses: actions/github-script@v9
33+
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
3434
with:
3535
script: |
3636
const fs = require('fs');

.github/workflows/run_all_tests_and_upload_code_coverage.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,20 +10,23 @@ concurrency:
1010
group: ${{ github.workflow }}-${{ github.ref }}
1111
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
1212

13+
permissions:
14+
contents: read
15+
1316
jobs:
1417
run_all_tests_and_upload_code_coverage:
1518
runs-on: windows-latest
1619
timeout-minutes: 20
1720
steps:
18-
- uses: actions/checkout@v6
21+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
1922
- name: Setup .NET
20-
uses: actions/setup-dotnet@v5
23+
uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5
2124
with:
2225
dotnet-version: 10.x
2326
- name: Run tests
2427
run: dotnet test csharp/PhoneNumbers.sln --configuration Release --verbosity normal --collect:"XPlat Code Coverage" --results-directory ./coverage
2528
- name: Upload coverage reports to Codecov
26-
uses: codecov/codecov-action@v6.0.0
29+
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
2730
with:
2831
token: ${{ secrets.CODECOV_TOKEN }}
2932
slug: twcclegg/libphonenumber-csharp

0 commit comments

Comments
 (0)