Act on CodeQL's suggestions for tightening security / improving performance (#338)

* Act on CodeQL's actions/missing-workflow-permissions

https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/

* Be more specific in the matched regex

And don't match a group if we don't need to match one

* Make it slightly faster since we know what after -otp-

I create a const because both expressions are looking for
the same thing

Author: paulo-ferraz-oliveira

.github/workflows/action.yml

@@ -1,6 +1,9 @@
 ---
 name: action
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -41,8 +44,6 @@ jobs:
     name: Expected local npm actions
     runs-on: ubuntu-latest
     if: github.ref != 'refs/heads/main'
-    permissions:
-      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -56,8 +57,6 @@ jobs:
     name: Action
     runs-on: ubuntu-latest
     if: github.ref != 'refs/heads/main'
-    permissions:
-      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: raven-actions/actionlint@v2
@@ -94,8 +93,6 @@ jobs:
   unit_tests_macos:
     name: Unit tests (macOS)
     runs-on: macos-latest
-    permissions:
-      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4

.github/workflows/hexpm-mirrors.yml

@@ -1,6 +1,9 @@
 ---
 name: hexpm-mirrors
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

.github/workflows/macos.yml

@@ -1,5 +1,6 @@
 ---
 name: macos
+
 permissions:
   contents: read
 

.github/workflows/ubuntu.yml

@@ -1,6 +1,9 @@
 ---
 name: ubuntu
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

.github/workflows/update_3rd_party_licenses.yml

@@ -1,6 +1,9 @@
 ---
 name: Update 3rd party licenses (automation)
 
+permissions:
+  contents: write
+
 on:
   schedule:
     - cron: '0 12 * * *'

.github/workflows/windows.yml

@@ -1,6 +1,9 @@
 ---
 name: windows
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

dist/index.js

@@ -26068,18 +26068,19 @@ function requestedVersionFor(tool, version, originListing, mirrors) {
 }
 
 async function getElixirVersion(exSpec0, otpVersion0) {
-  const otpVersion = otpVersion0.match(/^([^-]+-)?(.+)$/)[2]
+  const otpVersion = otpVersion0.match(/^(?:OTP-)?(.+)$/)[1]
   let otpVersionMajor = otpVersion.match(/^([^.]+).*$/)[1]
 
-  const userSuppliedOtp = exSpec0.match(/-otp-(\d+)/)?.[1] ?? null
+  const otpSuffix = /-otp-(\d+)/
+  const userSuppliedOtp = exSpec0.match(otpSuffix)?.[1] ?? null
 
   if (userSuppliedOtp && isVersion(userSuppliedOtp)) {
     otpVersionMajor = userSuppliedOtp
   }
 
   const [otpVersionsForElixirMap, elixirVersions, originListing, hexMirrors] =
     await getElixirVersions()
-  const spec = exSpec0.replace(/-otp-.*$/, '')
+  const spec = exSpec0.replace(otpSuffix, '')
   const versions = elixirVersions
   const elixirVersionFromSpec = getVersionFromSpec(spec, versions)
 

src/setup-beam.js

@@ -193,18 +193,19 @@ function requestedVersionFor(tool, version, originListing, mirrors) {
 }
 
 async function getElixirVersion(exSpec0, otpVersion0) {
-  const otpVersion = otpVersion0.match(/^([^-]+-)?(.+)$/)[2]
+  const otpVersion = otpVersion0.match(/^(?:OTP-)?(.+)$/)[1]
   let otpVersionMajor = otpVersion.match(/^([^.]+).*$/)[1]
 
-  const userSuppliedOtp = exSpec0.match(/-otp-(\d+)/)?.[1] ?? null
+  const otpSuffix = /-otp-(\d+)/
+  const userSuppliedOtp = exSpec0.match(otpSuffix)?.[1] ?? null
 
   if (userSuppliedOtp && isVersion(userSuppliedOtp)) {
     otpVersionMajor = userSuppliedOtp
   }
 
   const [otpVersionsForElixirMap, elixirVersions, originListing, hexMirrors] =
     await getElixirVersions()
-  const spec = exSpec0.replace(/-otp-.*$/, '')
+  const spec = exSpec0.replace(otpSuffix, '')
   const versions = elixirVersions
   const elixirVersionFromSpec = getVersionFromSpec(spec, versions)