Skip to content

Commit c140cec

Browse files
WenzelWenzel
authored
CI: harden actions (#263)
1 parent 3bbac62 commit c140cec

File tree

6 files changed

+46
-1
lines changed

6 files changed

+46
-1
lines changed

.github/dependabot.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,53 +4,75 @@ updates:
44
directory: /.github/builder
55
schedule:
66
interval: daily
7+
cooldown:
8+
default-days: 7
79

810
- package-ecosystem: github-actions
911
directory: /
1012
schedule:
1113
interval: daily
14+
cooldown:
15+
default-days: 7
1216

1317
- package-ecosystem: docker
1418
directory: /
1519
schedule:
1620
interval: daily
21+
cooldown:
22+
default-days: 7
1723

1824
- package-ecosystem: docker
1925
directory: /examples/manual-example
2026
schedule:
2127
interval: daily
28+
cooldown:
29+
default-days: 7
2230

2331
- package-ecosystem: docker
2432
directory: /examples/tutorials/edk2-simics-platform
2533
schedule:
2634
interval: daily
35+
cooldown:
36+
default-days: 7
2737

2838
- package-ecosystem: docker
2939
directory: /examples/tutorials/edk2-uefi
3040
schedule:
3141
interval: daily
42+
cooldown:
43+
default-days: 7
3244

3345
- package-ecosystem: docker
3446
directory: /examples/tutorials/risc-v-kernel
3547
schedule:
3648
interval: daily
49+
cooldown:
50+
default-days: 7
3751

3852
- package-ecosystem: docker
3953
directory: /tests/rsrc/riscv-64
4054
schedule:
4155
interval: daily
56+
cooldown:
57+
default-days: 7
4258

4359
- package-ecosystem: docker
4460
directory: /tests/rsrc/x86_64-breakpoint-uefi-edk2
4561
schedule:
4662
interval: daily
63+
cooldown:
64+
default-days: 7
4765

4866
- package-ecosystem: docker
4967
directory: /tests/rsrc/x86_64-timeout-uefi-edk2
5068
schedule:
5169
interval: daily
70+
cooldown:
71+
default-days: 7
5272

5373
- package-ecosystem: docker
5474
directory: /tests/rsrc/x86_64-uefi-edk2
5575
schedule:
5676
interval: daily
77+
cooldown:
78+
default-days: 7

.github/workflows/ci.yml

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,7 @@ jobs:
103103
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
104104
with:
105105
lfs: true
106+
persist-credentials: false
106107

107108
- name: Download Craff
108109
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
@@ -153,6 +154,7 @@ jobs:
153154
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
154155
with:
155156
lfs: true
157+
persist-credentials: false
156158

157159
- name: Cache Test Artifacts
158160
id: cache-test-artifacts-x86_64-breakpoint-uefi-edk2
@@ -192,6 +194,7 @@ jobs:
192194
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
193195
with:
194196
lfs: true
197+
persist-credentials: false
195198

196199
- name: Cache Test Artifacts
197200
id: cache-test-artifacts-x86_64-crash-uefi
@@ -231,6 +234,7 @@ jobs:
231234
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
232235
with:
233236
lfs: true
237+
persist-credentials: false
234238

235239
- name: Cache Test Artifacts
236240
id: cache-test-artifacts-x86_64-timeout-uefi-edk2
@@ -270,6 +274,7 @@ jobs:
270274
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
271275
with:
272276
lfs: true
277+
persist-credentials: false
273278

274279
- name: Cache Test Artifacts
275280
id: cache-test-artifacts-x86_64-uefi
@@ -309,6 +314,7 @@ jobs:
309314
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
310315
with:
311316
lfs: true
317+
persist-credentials: false
312318

313319
- name: Cache Test Artifacts
314320
id: cache-test-artifacts-x86_64-uefi-edk2
@@ -350,6 +356,7 @@ jobs:
350356
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
351357
with:
352358
lfs: true
359+
persist-credentials: false
353360

354361
- name: Download Craff
355362
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
@@ -466,6 +473,7 @@ jobs:
466473
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
467474
with:
468475
lfs: true
476+
persist-credentials: false
469477

470478
- name: Delete Un-Built Test Dependencies
471479
run: |
@@ -677,6 +685,7 @@ jobs:
677685
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
678686
with:
679687
lfs: true
688+
persist-credentials: false
680689

681690
# enforce the gnu target here, since cargo-simics-build isn't compatible with x86_64-pc-windows-msvc
682691
- name: Setup, Build, and Install TSFFS
@@ -734,6 +743,7 @@ jobs:
734743
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
735744
with:
736745
lfs: true
746+
persist-credentials: false
737747

738748
- name: Cache Builder Dependencies
739749
id: cache-builder-dependencies
@@ -744,7 +754,7 @@ jobs:
744754

745755
# tomllib is available in Python 3.11 and later
746756
- name: Set up Python 3.11
747-
uses: actions/setup-python@v6
757+
uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6
748758
with:
749759
python-version: "3.11"
750760

@@ -824,6 +834,7 @@ jobs:
824834
with:
825835
fetch-depth: 0
826836
lfs: false
837+
persist-credentials: false
827838

828839
- name: Set up Docker Buildx
829840
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3

.github/workflows/codeql.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,8 @@ jobs:
4747

4848
- name: Checkout repository
4949
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
50+
with:
51+
persist-credentials: false
5052

5153
# Initializes the CodeQL tools for scanning.
5254
- name: Initialize CodeQL

.github/workflows/dependency-review.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,5 +23,7 @@ jobs:
2323

2424
- name: 'Checkout Repository'
2525
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
26+
with:
27+
persist-credentials: false
2628
- name: 'Dependency Review'
2729
uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1

.github/workflows/docs.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,8 @@ jobs:
4444
sudo apt-get -y install curl
4545
4646
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
47+
with:
48+
persist-credentials: false
4749

4850
- uses: dtolnay/rust-toolchain@83bdede770b06329615974cf8c786f845d824dfb # nightly
4951

.github/workflows/scans.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ jobs:
2525
with:
2626
fetch-depth: 0
2727
lfs: false
28+
persist-credentials: false
2829

2930
- name: (CT222) (E/C) - Use hadolint to evaluate Dockerfile configuration
3031
env:
@@ -109,6 +110,7 @@ jobs:
109110
with:
110111
fetch-depth: 0
111112
lfs: false
113+
persist-credentials: false
112114

113115
- name: Setup Docker
114116
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -146,6 +148,7 @@ jobs:
146148
with:
147149
fetch-depth: 0
148150
lfs: false
151+
persist-credentials: false
149152

150153
- name: Build Image
151154
run: |
@@ -170,6 +173,7 @@ jobs:
170173
with:
171174
fetch-depth: 0
172175
lfs: false
176+
persist-credentials: false
173177

174178
- name: Build Image
175179
run: |
@@ -194,6 +198,7 @@ jobs:
194198
with:
195199
fetch-depth: 0
196200
lfs: false
201+
persist-credentials: false
197202

198203
- name: Build Image
199204
run: |
@@ -225,6 +230,7 @@ jobs:
225230
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
226231
with:
227232
lfs: false
233+
persist-credentials: false
228234

229235
- uses: dtolnay/rust-toolchain@83bdede770b06329615974cf8c786f845d824dfb # nightly
230236
with:

0 commit comments

Comments
 (0)