diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index 9700579..4d5f328 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -5,7 +5,8 @@ name: Action Lint on: pull_request: - branches: [ 'main', 'release-*' ] + branches: + - 'main' permissions: {} @@ -14,10 +15,16 @@ jobs: action-lint: name: Action lint runs-on: ubuntu-latest + permissions: contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/boilerplate.yaml b/.github/workflows/boilerplate.yaml index 62edb60..df1ce74 100644 --- a/.github/workflows/boilerplate.yaml +++ b/.github/workflows/boilerplate.yaml @@ -5,7 +5,8 @@ name: Boilerplate on: pull_request: - branches: [ 'main', 'release-*' ] + branches: + - 'main' permissions: {} @@ -14,8 +15,10 @@ jobs: check: name: Boilerplate Check runs-on: ubuntu-latest + permissions: contents: read + strategy: fail-fast: false # Keep running if one leg fails. matrix: @@ -34,10 +37,15 @@ jobs: language: YAML steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: chainguard-dev/actions/boilerplate@main + - uses: chainguard-dev/actions/boilerplate@5363dd9eb48083bbf7674a4bbe62d71c3b230edd # v1.1.2 with: extension: ${{ matrix.extension }} language: ${{ matrix.language }} diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index 0e4694e..e033390 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -5,7 +5,8 @@ name: Do Not Submit on: pull_request: - branches: [ 'main', 'release-*' ] + branches: + - 'main' permissions: {} @@ -14,12 +15,18 @@ jobs: donotsubmit: name: Do Not Submit runs-on: ubuntu-latest + permissions: contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Do Not Submit - uses: chainguard-dev/actions/donotsubmit@main + uses: chainguard-dev/actions/donotsubmit@5363dd9eb48083bbf7674a4bbe62d71c3b230edd # v1.1.2 diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml index d1b57fa..e164bb8 100644 --- a/.github/workflows/go-test.yaml +++ b/.github/workflows/go-test.yaml @@ -5,9 +5,11 @@ name: Test on: pull_request: - branches: [ 'main', 'release-*' ] + branches: + - 'main' push: - branches: [ 'main', 'release-*' ] + branches: + - 'main' permissions: {} @@ -18,6 +20,11 @@ jobs: permissions: contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Check out code onto GOPATH uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -41,4 +48,4 @@ jobs: check-latest: true - run: | - go test -race ./... + go test -v -race ./... diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml index 720e4a6..0a59759 100644 --- a/.github/workflows/style.yaml +++ b/.github/workflows/style.yaml @@ -23,6 +23,11 @@ jobs: contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -44,6 +49,11 @@ jobs: contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -64,6 +74,11 @@ jobs: pull-requests: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go @@ -87,6 +102,11 @@ jobs: contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml index 02f2dfa..3094df5 100644 --- a/.github/workflows/verify.yaml +++ b/.github/workflows/verify.yaml @@ -5,9 +5,11 @@ name: Verify on: pull_request: - branches: [ 'main', 'release-*' ] + branches: + - 'main' push: - branches: [ 'main', 'release-*' ] + branches: + - 'main' permissions: {} @@ -16,6 +18,7 @@ jobs: verify: name: Verify Codegen runs-on: ubuntu-latest + permissions: contents: read @@ -23,6 +26,11 @@ jobs: GOPATH: ${{ github.workspace }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -55,7 +63,7 @@ jobs: ./hack/update-codegen.sh - name: Verify - uses: chainguard-dev/actions/nodiff@main + uses: chainguard-dev/actions/nodiff@5363dd9eb48083bbf7674a4bbe62d71c3b230edd # main with: path: ./src/github.com/${{ github.repository }} fixup-command: "./hack/update-codegen.sh"