diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..5ee7b43 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,15 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + groups: + actions: + patterns: + - "*" + + - package-ecosystem: pip + directory: / + schedule: + interval: weekly diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 98bf26b..de9f117 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,19 +5,22 @@ on: branches: [master] pull_request: +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" - name: Install lint tools run: | - pip install poetry + pip install 'poetry==1.8.5' poetry install --only lint - name: Lint @@ -26,15 +29,15 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" - name: Install dependencies run: | - pip install poetry + pip install 'poetry==1.8.5' poetry install --with test - name: Test diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bb94dba..a13601d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,15 +21,22 @@ concurrency: group: ${{ github.workflow }} cancel-in-progress: true +permissions: + contents: read + env: IMAGE: ghcr.io/flowcanon/flow-deploy-docs jobs: release: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - id: pipeline - uses: flowcanon/release-builder/pipeline@v3 + # flowcanon/release-builder@v3 branch tip as of audit + uses: flowcanon/release-builder/pipeline@35deb72e2a585d6a7e4c230d1052a763ac47402b # v3 with: force-pr: ${{ inputs.force_pr || false }} outputs: @@ -45,7 +52,7 @@ jobs: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build binaries run: | @@ -56,7 +63,7 @@ jobs: docker cp $(docker create flow-deploy-glibc):/build/dist/flow-deploy-linux-glibc dist/ - name: Create GitHub release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 with: tag_name: v${{ needs.release.outputs.current-version }} generate_release_notes: true @@ -75,28 +82,32 @@ jobs: packages: write steps: - - uses: actions/checkout@v4 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: docker/login-action@v3 + - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.IMAGE }} tags: | type=sha,prefix= - - uses: docker/build-push-action@v6 + - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} - - uses: flowcanon/deploy-action@master + - uses: flowcanon/deploy-action@59939e9e76a264708024cd3d9c1871701294b27c # master @ audit with: tag: ${{ steps.meta.outputs.version }} ssh-key: ${{ secrets.DEPLOY_SSH_KEY }}