Merge pull request #1339 from IntelPython/fix/security_issues

Fix/security issues

Author: Diptorup Deb

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/black.yml

@@ -9,6 +9,8 @@ on:
   push:
     branches: [main]
 
+permissions: read-all
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "black"

.github/workflows/conda-package.yml

@@ -10,6 +10,8 @@ on:
       - main
       - release*
 
+permissions: read-all
+
 env:
   PACKAGE_NAME: numba-dpex
   MODULE_NAME: numba_dpex

.github/workflows/coverage.yml

@@ -9,21 +9,25 @@ on:
       - environment/coverage.yml
       - pyproject.toml
 
+permissions: read-all
+
 jobs:
   main:
     name: Generate coverage and push to Coveralls.io
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     defaults:
       run:
         shell: bash -l {0}
     steps:
       - name: Cancel Previous Runs
-        uses: styfle/cancel-workflow-action@0.9.1
+        uses: styfle/cancel-workflow-action@0.12.1
         with:
           access_token: ${{ github.token }}
 
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4.1.1
         with:
           fetch-depth: 0
 
@@ -58,7 +62,7 @@ jobs:
       - name: Install coveralls
         shell: bash -l {0}
         run: |
-          pip install coveralls==3.2.0
+          pip install coveralls
 
       - name: Upload coverage data to coveralls.io
         run: |

.github/workflows/coverity.yml

@@ -5,6 +5,8 @@ on:
       - main
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   Coverity:
 

.github/workflows/cpp_style_checks.yml

@@ -9,6 +9,8 @@ on:
   push:
     branches: [master]
 
+permissions: read-all
+
 jobs:
   formatting-check:
     name: clang-format

.github/workflows/docker.yml

@@ -26,6 +26,7 @@ on:
       buildkit_version:
         default: '0.11.6'
 
+permissions: read-all
 
 jobs:
   env:

.github/workflows/gh-pages.yml

@@ -13,20 +13,25 @@ on:
       - environment/docs.yml
       - .github/workflows/gh-pages.yml
 
+permissions: read-all
+
 jobs:
   main:
     if: ${{ !(github.event.pull_request && github.event.action == 'closed') }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     defaults:
       run:
         shell: bash -l {0}
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4.1.1
         with:
           fetch-depth: 0
 
-      - uses: conda-incubator/setup-miniconda@v2
+      - uses: conda-incubator/setup-miniconda@v3.0.2
         with:
           python-version: '3.10'
           miniforge-variant: Mambaforge
@@ -46,7 +51,7 @@ jobs:
         run: make html
 
       - name: GitHub Pages [main]
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@v3.9.3
         if: ${{ github.ref == 'refs/heads/main' }}
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -59,7 +64,7 @@ jobs:
           user_email: 'github-actions[bot]@users.noreply.github.com'
 
       - name: GitHub Pages [PR]
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@v3.9.3
         if: ${{ github.event.pull_request && github.event.action != 'closed' }}
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -75,15 +80,15 @@ jobs:
         if: ${{ github.event.pull_request && github.event.action != 'closed' }}
         env:
           PR_NUM: ${{ github.event.number }}
-        uses: mshick/add-pr-comment@v2
+        uses: mshick/add-pr-comment@v2.8.2
         with:
           message: |
             Documentation preview: [show](https://intelpython.github.io/numba-dpex/pull/${{ env.PR_NUM }}).
           # repo-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Publish release
         if: startsWith(github.ref, 'refs/heads/release')
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@v3.9.3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           destination_dir : next_release
@@ -99,7 +104,7 @@ jobs:
 
       - name: Publish tag
         if: startsWith(github.ref, 'refs/tags/')
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@v3.9.3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           destination_dir : ${{ steps.capture_tag.outputs.tag_number }}
@@ -110,9 +115,11 @@ jobs:
   clean:
     if: ${{ github.event.pull_request && github.event.action == 'closed' }}
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4.1.1
         with:
           fetch-depth: 0
 
@@ -132,7 +139,7 @@ jobs:
           git push tokened_docs gh-pages
 
       - name: Comment PR [docs removed]
-        uses: mshick/add-pr-comment@v1
+        uses: mshick/add-pr-comment@v2.8.2
         with:
           message: |
             Documentation preview removed.

.github/workflows/license.yml

@@ -5,12 +5,14 @@ on:
   push:
     branches: [main]
 
+permissions: read-all
+
 jobs:
   license:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4.1.1
     - uses: actions/setup-go@v3
       with:
         go-version: '1.18'