GH Actions audit and cleanup; go bumps (#123)

Author: philpennock

.github/workflows/docs_deploy.yml

@@ -1,38 +1,43 @@
 name: Deploy Docs
-permissions:
-  contents: write
 on:
   push:
     tags:
       - "[0-9]+.[0-9]+.[0-9]+"
   workflow_dispatch:
 
+permissions: {}  # future-proof, preemptively move permissions into jobs level
+
 jobs:
   deploy:
     concurrency: ci-${{ github.ref }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     env:
       HUGO_VERSION: 0.123.8
+    permissions:
+      # We deploy to GitHub Pages via push to gh-pages branch
+      contents: write
+
     steps:
-      - 
+      -
         name: Install Hugo CLI
         run: |
           wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
           && sudo dpkg -i ${{ runner.temp }}/hugo.deb
-      - 
+      -
         name: Install Dart Sass
         run: sudo snap install dart-sass
-      - 
+      -
         name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: recursive
           fetch-depth: 0
-      - 
+          persist-credentials: true  # for push to gh-pages branch
+      -
         name: Install Node.js dependencies
         working-directory: ./docs
         run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
-      - 
+      -
         name: Build with Hugo
         working-directory: ./docs
         env:
@@ -42,8 +47,8 @@ jobs:
           hugo \
             --gc \
             --minify \
-            --baseURL "https://docs.natster.io" 
-      - 
+            --baseURL "https://docs.natster.io"
+      -
         name: Deploy Docs
         uses: JamesIves/github-pages-deploy-action@v4
         with:

.github/workflows/docs_pr.yml

@@ -8,52 +8,66 @@ on:
       - synchronize
       - closed
 
-permissions: write-all
-
 concurrency: preview-${{ github.ref }}
 defaults:
   run:
     shell: bash
 
+permissions: {}  # future-proof, preemptively move permissions into jobs level
+
 jobs:
   deploy-preview:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     env:
       HUGO_VERSION: 0.123.8
+    permissions:
+      # the preview step writes to the gh-pages branch and pushes;
+      # it updates deployments and leaves comments on issues
+      contents: write
+      deployments: write
+      issues: write
+      # TBD: might we also need `pages: write` for a new deploy?
+      # I (pdp 2025-03) don't see that; rossjrw/pr-preview-action uses JamesIves/github-pages-deploy-action
+      # under the covers and that's all git force-pushing of deployment branches.
+
     steps:
-      - 
+      -
         name: Install Hugo CLI
         run: |
           wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
           && sudo dpkg -i ${{ runner.temp }}/hugo.deb
-      - 
+      -
         name: Install Dart Sass
         run: sudo snap install dart-sass
-      - 
+      -
         name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: recursive
           fetch-depth: 0
-      - 
+          persist-credentials: true  # for step 'preview'
+      -
         name: Install Node.js dependencies
         working-directory: ./docs
         run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
-      - 
+      -
         name: Build with Hugo
-        working-directory: ./docs
+        id: build
         if: github.event.action != 'closed' # skip the build if the PR has been closed
+        working-directory: ./docs
         env:
           HUGO_ENVIRONMENT: production
           HUGO_ENV: production
         run: |
           hugo \
             --gc \
             --minify \
-            --baseURL "https://docs.natster.io/pr-preview/pr-${{ github.event.number }}" 
-      - 
+            --baseURL "https://docs.natster.io/pr-preview/pr-${{ github.event.number }}"
+      -
         name: Deploy preview
+        id: preview
+        if: github.event.action != 'closed' # skip the build if the PR has been closed
         uses: rossjrw/pr-preview-action@v1
         with:
           source-dir: ./docs/public/
-          custom-url: "docs.natster.io"
+          pages-base-url: "docs.natster.io"

.github/workflows/release.yml

@@ -6,10 +6,7 @@ on:
       - "[0-9]+.[0-9]+.[0-9]+"
   workflow_dispatch:
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+permissions: {}  # future-proof, preemptively move permissions into jobs level
 
 concurrency:
   group: "release"
@@ -22,23 +19,32 @@ jobs:
     concurrency:
       group: release-installer-${{ github.ref }}
       cancel-in-progress: false
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
+
     steps:
       -
         name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       -
         name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.22.0'
+          go-version: '1.24.1'
+          # Caching: we are making release artifacts, and unfortunately we need
+          # to ensure that the cache is not poisonable.
+          cache: false
       -
         name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
-          version: latest
+          version: '~> v2'
           args: release --verbose --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GHA_RELEASE }}

.github/workflows/ui.yml

@@ -3,7 +3,11 @@ on:
   pull_request:
     branches:
       - main
+
+permissions: {}
+
 jobs:
+
   check-ui:
     runs-on: ubuntu-latest
     name: Check UI for edits
@@ -13,43 +17,53 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-
-      - name: Get changes to UI directory
+          persist-credentials: false
+      - name: Determine if changes to UI directory
         id: ui-edited
-        uses: tj-actions/changed-files@aa08304bd477b800d468db44fe10f6c61f7f7b11  ## @v42 reiified by pdp 2025-03-14 in repo compromised tags incident
-        with:
-          files: natster-io/**
+        shell: bash
+        run: |
+          : "${GITHUB_BASE_REF:?missing GITHUB_BASE_REF on push, fixme}"
+          changes="$(git diff-tree -r --name-only "origin/$GITHUB_BASE_REF" HEAD -- natster-io)"
+          if [[ -n "$changes" ]]; then
+            echo >> "$GITHUB_OUTPUT" "any_changed=true"
+          else
+            echo >> "$GITHUB_OUTPUT" "any_changed=false"
+          fi
+
   check-formatter:
     runs-on: ubuntu-latest
     name: Checks to see if UI code is formatted
     needs: check-ui
     if: needs.check-ui.outputs.status
     steps:
-      - 
+      -
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - 
+          persist-credentials: false
+      -
         name: Install UI deps
         working-directory: ./natster-io
         run: |
           curl -fsSL https://get.pnpm.io/install.sh | SHELL=bash sh -
           ~/.local/share/pnpm/pnpm install
-      - 
+      -
         name: Check formatting
         working-directory: ./natster-io
         run: ~/.local/share/pnpm/pnpm run check-formatting
+
   build-ui:
     runs-on: ubuntu-latest
     name: Builds UI if edits found
     needs: check-ui
     if: needs.check-ui.outputs.status
     steps:
-      - 
+      -
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - 
+          persist-credentials: false
+      -
         name: Build ui
         working-directory: ./natster-io
         run: |
@@ -60,14 +74,14 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.22.0'
+          go-version: '1.24.1'
       -
         name: Build server
         working-directory: ./natster-io/server
         run: |
           go build -tags netgo -ldflags '-extldflags "-static"' -o natster-ui-server
           go build -tags with_tailscale -o natster-ui-server-ts
-      - 
+      -
         name: Archive server binaries
         uses: actions/upload-artifact@v4
         with:

.github/workflows/ui_prod.yml

@@ -4,51 +4,44 @@ on:
     tags:
       - "[0-9]+.[0-9]+.[0-9]+"
 
-jobs:
-  check-ui:
-    runs-on: ubuntu-latest
-    name: Check UI for edits
-    outputs:
-      status: ${{ steps.ui-edited.outputs.any_changed }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+# For tag pushes, we always build and deploy
 
-      - name: Get changes to UI directory
-        id: ui-edited
-        uses: tj-actions/changed-files@aa08304bd477b800d468db44fe10f6c61f7f7b11  ## @v42 reiified by pdp 2025-03-14 in repo compromised tags incident
-        with:
-          files: natster-io/**
+permissions: {}
 
+jobs:
   build-ui:
     runs-on: ubuntu-latest
     name: Builds UI if edits found
-    needs: check-ui
-    if: needs.check-ui.outputs.status
+    permissions:
+      contents: read   # clone repo
+      actions: write   # upload artifacts
     steps:
-      - 
+      -
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - 
+          persist-credentials: false
+      -
         name: Build ui
         working-directory: ./natster-io
         run: |
-          curl -fsSL https://get.pnpm.io/install.sh | SHELL=bash sh -
+          curl -fsSL https://get.pnpm.io/install.sh | SHELL=bash bash -
           ~/.local/share/pnpm/pnpm install
           ~/.local/share/pnpm/pnpm build-only --outDir server/dist
       -
         name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version: '1.22.0'
+          go-version: '1.24.1'
+          # Caching: we are making release artifacts, and unfortunately we need
+          # to ensure that the cache is not poisonable.
+          cache: false
       -
         name: Build server
         working-directory: ./natster-io/server
         run: |
           go build -o natster-ui-server
-      - 
+      -
         name: Archive server binaries
         uses: actions/upload-artifact@v4
         with:
@@ -64,19 +57,23 @@ jobs:
     environment:
       name: Prod
       url: https://natster.io
+    permissions:
+      actions: read    # download artifacts
+      id-token: write  # OIDC exchange for tailscale
     steps:
       -
         name: Download server artifact
         uses: actions/download-artifact@v4
         with:
           name: web_server
-      - 
+      -
         name: Tailscale
-        uses: tailscale/github-action@v2
+        uses: tailscale/github-action@v3
         with:
           oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
           oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
           tags: tag:natster
+      # No SSH keys needed for SSH below, it's using Tailscale connection ambient identity
       -
         name: Stop Prod Server
         run: |
@@ -89,4 +86,4 @@ jobs:
         name: Restart Prod Server
         run: |
           ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" root@natster-ui.pig-bee.ts.net systemctl start natster-ui-prod.service
-      
+