Skip to content

Commit f3e1d73

Browse files
fooselfoosel
committed
ci: tighten security of checkout action
1 parent 0b23db1 commit f3e1d73

File tree

1 file changed

+46
-47
lines changed

1 file changed

+46
-47
lines changed

.github/workflows/build.yml

Lines changed: 46 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -28,49 +28,48 @@ jobs:
2828
packages: write
2929
attestations: write
3030
id-token: write
31-
31+
3232
steps:
33-
- name: "⬇ Checkout"
34-
uses: actions/checkout@v4
35-
36-
- name: "🐳 Login to GHCR"
37-
uses: docker/login-action@v3
38-
with:
39-
registry: ghcr.io
40-
username: ${{ github.repository_owner }}
41-
password: ${{ secrets.GITHUB_TOKEN }}
42-
43-
- name: 🔍️ Determine metadata
44-
id: meta
45-
uses: docker/metadata-action@v5
46-
with:
47-
images: ${{ env.IMAGE_NAME }}
48-
tags: |
49-
type=ref,event=branch
50-
type=ref,event=pr
51-
type=semver,pattern={{version}}
52-
type=semver,pattern={{major}}.{{minor}}
53-
54-
- name: "🐳 Set up Docker Buildx"
55-
uses: docker/setup-buildx-action@v3
56-
57-
- name: "🏗 Build & push by digest"
58-
id: docker_build
59-
uses: docker/build-push-action@v6
60-
with:
61-
context: ./src
62-
platforms: linux/amd64,linux/arm64
63-
64-
# metadata
65-
labels: ${{ steps.meta.outputs.labels }}
66-
67-
# inline cache
68-
cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:${{ env.DOCKER_METADATA_OUTPUT_VERSION }}
69-
cache-to: type=inline
70-
71-
# export
72-
outputs: type=image,"name=${{ env.IMAGE_NAME }}",push-by-digest=true,name-canonical=true,push=true
33+
- name: "⬇ Checkout"
34+
uses: actions/checkout@v6
35+
36+
- name: "🐳 Login to GHCR"
37+
uses: docker/login-action@v3
38+
with:
39+
registry: ghcr.io
40+
username: ${{ github.repository_owner }}
41+
password: ${{ secrets.GITHUB_TOKEN }}
42+
43+
- name: 🔍️ Determine metadata
44+
id: meta
45+
uses: docker/metadata-action@v5
46+
with:
47+
images: ${{ env.IMAGE_NAME }}
48+
tags: |
49+
type=ref,event=branch
50+
type=ref,event=pr
51+
type=semver,pattern={{version}}
52+
type=semver,pattern={{major}}.{{minor}}
7353
54+
- name: "🐳 Set up Docker Buildx"
55+
uses: docker/setup-buildx-action@v3
56+
57+
- name: "🏗 Build & push by digest"
58+
id: docker_build
59+
uses: docker/build-push-action@v6
60+
with:
61+
context: ./src
62+
platforms: linux/amd64,linux/arm64
63+
64+
# metadata
65+
labels: ${{ steps.meta.outputs.labels }}
66+
67+
# inline cache
68+
cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:${{ env.DOCKER_METADATA_OUTPUT_VERSION }}
69+
cache-to: type=inline
70+
71+
# export
72+
outputs: type=image,"name=${{ env.IMAGE_NAME }}",push-by-digest=true,name-canonical=true,push=true
7473

7574
test:
7675
name: "🧪 Test"
@@ -79,14 +78,14 @@ jobs:
7978
strategy:
8079
fail-fast: false
8180
matrix:
82-
os: [ "ubuntu-latest", "ubuntu-22.04-arm" ]
83-
arch: [ "armhf", "arm64" ]
81+
os: ["ubuntu-latest", "ubuntu-22.04-arm"]
82+
arch: ["armhf", "arm64"]
8483

8584
runs-on: "${{ matrix.os }}"
8685

8786
steps:
8887
- name: "⬇ Checkout"
89-
uses: actions/checkout@v4
88+
uses: actions/checkout@v6
9089

9190
- name: "🛠 Prepare workspace with a fresh RPi lite image"
9291
shell: bash
@@ -142,11 +141,11 @@ jobs:
142141
workspace: ${{ github.workspace }}/workspace
143142
scripts: ${{ github.workspace }}/scripts
144143
environment: '{ "EDITBASE_ARCH": "${{ env.EDITBASE_ARCH }}" }'
145-
custopizer: '${{ needs.build.outputs.digest }}'
144+
custopizer: "${{ needs.build.outputs.digest }}"
146145

147146
deploy:
148147
name: "📦 Deploy"
149-
needs:
148+
needs:
150149
- build
151150
- test
152151
runs-on: "ubuntu-latest"
@@ -166,7 +165,7 @@ jobs:
166165
registry: ghcr.io
167166
username: ${{ github.repository_owner }}
168167
password: ${{ secrets.GITHUB_TOKEN }}
169-
168+
170169
- name: 🔍️ Determine metadata
171170
id: meta
172171
uses: docker/metadata-action@v5

0 commit comments

Comments
 (0)