diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..3a626c3a7 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: monthly diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index baf6a1946..8d71cdaae 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,7 +1,9 @@ - name: Build on: [push, pull_request] +permissions: + contents: read + jobs: linux: name: Linux @@ -13,7 +15,7 @@ jobs: sudo apt-get -qq install zlib1g-dev libbz2-dev - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true @@ -47,7 +49,7 @@ jobs: run: apk add --no-cache automake autoconf gcc libtool make musl-dev git zlib zlib-dev bzip2 bzip2-dev #musl-locales - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true @@ -77,7 +79,7 @@ jobs: runs-on: macos-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true @@ -99,7 +101,7 @@ jobs: arch: ["Win32", "x64"] steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true @@ -122,7 +124,7 @@ jobs: sudo apt-get -qq install zlib1g-dev libbz2-dev libedit-dev - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true @@ -169,7 +171,7 @@ jobs: echo '```' >> "$GITHUB_STEP_SUMMARY" - name: Upload report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "Coverage report" path: './build/coverage-report' diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index 52ef4f6fa..805fa3c0c 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -1,23 +1,27 @@ name: CIFuzz on: [pull_request] + +permissions: + contents: read + jobs: Fuzzing: runs-on: ubuntu-latest steps: - name: Build Fuzzers id: build - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master + uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@3d38acd485bc848e33396e7523b9a4f2aff9027e # master with: oss-fuzz-project-name: 'pcre2' dry-run: false - name: Run Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master + uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@3d38acd485bc848e33396e7523b9a4f2aff9027e # master with: oss-fuzz-project-name: 'pcre2' fuzz-seconds: 300 dry-run: false - name: Upload Crash - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: failure() && steps.build.outcome == 'success' with: name: artifacts diff --git a/.github/workflows/clang-analyzer.yml b/.github/workflows/clang-analyzer.yml index 7e0edc212..55128ea1d 100644 --- a/.github/workflows/clang-analyzer.yml +++ b/.github/workflows/clang-analyzer.yml @@ -1,10 +1,18 @@ - name: Clang Static Analyzer on: [push, pull_request] +permissions: + contents: read + jobs: Analyze: runs-on: ubuntu-latest + + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + contents: read + steps: - name: Setup run: | @@ -12,7 +20,7 @@ jobs: sudo apt-get -qq install ninja-build clang-tools - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true @@ -38,14 +46,14 @@ jobs: # Upload the browsable HTML report as an artifact. - name: Upload report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "Clang Static Analyzer report" path: './build/clang-report' # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 with: sarif_file: build/clang.sarif category: clang-analyzer diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3c4fce603..190e9c230 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,17 +20,19 @@ on: schedule: - cron: '27 6 * * 4' -# Declare default permissions as read only. -permissions: read-all +permissions: + contents: read jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write actions: read contents: read - security-events: write strategy: fail-fast: false @@ -41,13 +43,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -58,7 +60,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -72,4 +74,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml index ed4572cdd..d776ecee1 100644 --- a/.github/workflows/dev.yml +++ b/.github/workflows/dev.yml @@ -1,9 +1,8 @@ name: Dev -on: - workflow_dispatch: - pull_request: - branches: - - master +on: [push, pull_request] + +permissions: + contents: read jobs: @@ -18,7 +17,7 @@ jobs: sudo apt-get -qq install libedit-dev - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true @@ -53,7 +52,7 @@ jobs: opt: ["-O0", "-O2"] steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true @@ -86,7 +85,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true @@ -112,12 +111,12 @@ jobs: sudo apt-get -qq install language-pack-fr ninja-build libreadline-dev - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true - name: Cache CMake - uses: actions/cache@v4 + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: key: cmake-${{ env.CMAKE_VER }}-Linux-x86_64 path: cmake-${{ env.CMAKE_VER }}-Linux-x86_64.tar.gz @@ -145,7 +144,7 @@ jobs: runs-on: windows-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true @@ -164,7 +163,7 @@ jobs: runs-on: windows-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true @@ -188,7 +187,7 @@ jobs: sudo apt-get install -y valgrind - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true @@ -209,7 +208,7 @@ jobs: apt-get -qq install cmake ninja-build - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: yes @@ -232,7 +231,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 16b55999e..fecb03c8e 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -7,13 +7,14 @@ on: push: branches: [ master ] -# Declare default permissions as read only. -permissions: read-all +permissions: + contents: read jobs: analysis: name: Scorecards analysis runs-on: ubuntu-latest + permissions: # Needed to upload the results to code-scanning dashboard. security-events: write @@ -22,7 +23,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: true persist-credentials: false @@ -43,7 +44,7 @@ jobs: # Upload the results as artifacts (optional). - name: "Upload artifact" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: SARIF file path: results.sarif @@ -51,7 +52,7 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 with: sarif_file: results.sarif category: ossf-scorecard