Skip to content

Commit 1d8de93

Browse files
vil02vil02
authored
chore: set permissions and pin dependencies to exact hash (#529)
1 parent 4696bbc commit 1d8de93

File tree

9 files changed

+56
-29
lines changed

9 files changed

+56
-29
lines changed

.github/workflows/all_url_check.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,13 +10,16 @@ name: all_url_check
1010
schedule:
1111
- cron: '0 5,13 * * 3,6'
1212

13+
permissions:
14+
contents: read
15+
1316
jobs:
1417
run_lychee:
1518
runs-on: ubuntu-latest
1619

1720
steps:
1821
- name: Checkout
19-
uses: actions/checkout@v5
22+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
2023

2124
- name: link_check with lychee-action
2225
id: link_check

.github/workflows/black_format.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,14 @@ name: black_format
88
- master
99
pull_request:
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
black_format:
1316
runs-on: ubuntu-latest
1417
steps:
15-
- uses: actions/checkout@v5
16-
- uses: psf/[email protected]
18+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
19+
- uses: psf/black@8a737e727ac5ab2f1d4cf5876720ed276dc8dc4b # 25.1.0
1720
with:
1821
options: "--check --verbose"

.github/workflows/check_shell_scripts.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,16 @@ name: check_shell_scripts
88
- master
99
pull_request:
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
run_shellcheck:
1316
runs-on: ubuntu-latest
1417

1518
steps:
1619
- name: Checkout
17-
uses: actions/checkout@v5
20+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
1821

1922
- name: Install shellcheck
2023
run: |

.github/workflows/codeql.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ name: CodeQL
1010
schedule:
1111
- cron: '34 13 * * 3'
1212

13+
permissions:
14+
contents: read
15+
1316
jobs:
1417
analyze:
1518
name: Analyze
@@ -26,18 +29,18 @@ jobs:
2629

2730
steps:
2831
- name: Checkout repository
29-
uses: actions/checkout@v5
32+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
3033

3134
- name: Initialize CodeQL
32-
uses: github/codeql-action/init@v3
35+
uses: github/codeql-action/init@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11
3336
with:
3437
languages: ${{ matrix.language }}
3538

3639
- name: Autobuild
37-
uses: github/codeql-action/autobuild@v3
40+
uses: github/codeql-action/autobuild@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11
3841

3942
- name: Perform CodeQL Analysis
40-
uses: github/codeql-action/analyze@v3
43+
uses: github/codeql-action/analyze@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11
4144
with:
4245
category: "/language:${{matrix.language}}"
4346
...

.github/workflows/create_tag.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,23 +7,26 @@ name: create_tag
77
branches:
88
- master
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
create_tag:
1215
runs-on: ubuntu-latest
1316

1417
steps:
1518
- name: Checkout
16-
uses: actions/checkout@v5
19+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
1720
with:
1821
token: ${{secrets.PUSH_TOKEN}}
1922

2023
- name: Set up Python
21-
uses: actions/setup-python@v5
24+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
2225
with:
2326
python-version: 3.13
2427

2528
- name: Set up Poetry
26-
uses: snok/install-poetry@v1
29+
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
2730

2831
- name: Tag and push
2932
run: |

.github/workflows/generate_and_upload_coverage_data.yml

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,16 @@ name: generate_and_upload_coverage_data
88
- master
99
pull_request:
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
generate_and_upload_coverage_data:
1316
name: generate_and_upload_coverage_data
1417
runs-on: ubuntu-22.04
1518
steps:
1619
- name: Checkout
17-
uses: actions/checkout@v5
20+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
1821
with:
1922
fetch-depth: 0
2023

@@ -23,12 +26,12 @@ jobs:
2326
./validate_codecov_yml.sh
2427
2528
- name: Set up Python
26-
uses: actions/setup-python@v5
29+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
2730
with:
2831
python-version: 3.13
2932

3033
- name: Set up Poetry
31-
uses: snok/install-poetry@v1
34+
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
3235

3336
- name: Install dependencies
3437
run: |
@@ -48,13 +51,13 @@ jobs:
4851
--iteration_size=0
4952
5053
- name: Sonar Scan
51-
uses: SonarSource/sonarqube-scan-action@v5
54+
uses: SonarSource/sonarqube-scan-action@8c71dc039c2dd71d3821e89a2b58ecc7fee6ced9 # v5.3.0
5255
env:
5356
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
5457
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
5558

5659
- name: Upload coverage report to Codecov
57-
uses: codecov/codecov-action@v5
60+
uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
5861
with:
5962
token: ${{ secrets.CODECOV_TOKEN }}
6063
fail_ci_if_error: true
@@ -63,18 +66,18 @@ jobs:
6366
if: >-
6467
github.event_name == 'pull_request' &&
6568
github.event.pull_request.head.repo.full_name != github.repository
66-
uses: codecov/codecov-action@v5
69+
uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
6770
with:
6871
fail_ci_if_error: true
6972

7073
- name: Upload coverage report to Codacy
71-
uses: codacy/codacy-coverage-reporter-action@v1
74+
uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1.3.0
7275
with:
7376
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
7477
coverage-reports: coverage.xml
7578

7679
- name: Upload coverage report as an artifact
77-
uses: actions/upload-artifact@v4
80+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
7881
with:
7982
name: coverage_report
8083
path: |

.github/workflows/pip_audit.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,22 +10,25 @@ name: pip_audit
1010
schedule:
1111
- cron: '10 2 * * 1'
1212

13+
permissions:
14+
contents: read
15+
1316
jobs:
1417
pip_audit:
1518
runs-on: ubuntu-latest
1619

1720
steps:
18-
- uses: actions/checkout@v5
21+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
1922
with:
2023
persist-credentials: false
2124

2225
- name: Set up Python
23-
uses: actions/setup-python@v5
26+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
2427
with:
2528
python-version: 3.13
2629

2730
- name: Set up Poetry
28-
uses: snok/install-poetry@v1
31+
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
2932

3033
- name: Install poetry-plugin-export
3134
run: |
@@ -37,7 +40,7 @@ jobs:
3740
poetry export --with dev -f requirements.txt -o dev-requirements.txt
3841
3942
- name: Run pip-audit
40-
uses: pypa/[email protected]
43+
uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266 # v1.1.0
4144
with:
4245
inputs: requirements.txt dev-requirements.txt
4346
...

.github/workflows/publish.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,21 +7,24 @@ name: publish
77
types:
88
- created
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
publish:
1215
runs-on: ubuntu-latest
1316

1417
steps:
1518
- name: Checkout
16-
uses: actions/checkout@v5
19+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
1720

1821
- name: Set up Python
19-
uses: actions/setup-python@v5
22+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
2023
with:
2124
python-version: 3.13
2225

2326
- name: Set up Poetry
24-
uses: snok/install-poetry@v1
27+
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
2528

2629
- name: Publish to PyPi
2730
env:

.github/workflows/python_test.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ name: python_test
1010
schedule:
1111
- cron: '25 0 * * 2'
1212

13+
permissions:
14+
contents: read
15+
1316
jobs:
1417
python_test:
1518
runs-on: ${{matrix.os}}
@@ -22,15 +25,15 @@ jobs:
2225

2326
steps:
2427
- name: Checkout
25-
uses: actions/checkout@v5
28+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
2629

2730
- name: Set up Python ${{matrix.python-version}}
28-
uses: actions/setup-python@v5
31+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
2932
with:
3033
python-version: ${{matrix.python-version}}
3134

3235
- name: Set up Poetry
33-
uses: snok/install-poetry@v1
36+
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
3437

3538
- name: Install basic dependencies
3639
run: |

0 commit comments

Comments
 (0)