diff --git a/.github/workflows/__main-ci.yml b/.github/workflows/__main-ci.yml index 4ca92a6f..180efb9d 100644 --- a/.github/workflows/__main-ci.yml +++ b/.github/workflows/__main-ci.yml @@ -83,7 +83,7 @@ jobs: release: needs: ci if: github.event_name != 'schedule' - uses: hoverkraft-tech/ci-github-publish/.github/workflows/release-actions.yml@ecafdeac18a6a6dcc01058cd53ac7431bedb5c3b # 0.14.1 + uses: hoverkraft-tech/ci-github-publish/.github/workflows/release-actions.yml@dbdcce2870b33525ac1fa26069bf95b2dd586fda # 0.15.2 permissions: contents: read with: diff --git a/.github/workflows/__need-fix-to-issue.yml b/.github/workflows/__need-fix-to-issue.yml index 0d3de200..62133b4a 100644 --- a/.github/workflows/__need-fix-to-issue.yml +++ b/.github/workflows/__need-fix-to-issue.yml @@ -17,17 +17,14 @@ on: # yamllint disable-line rule:truthy to go back further, enter an earlier SHA here required: false -permissions: - contents: read - issues: write - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true +permissions: {} jobs: main: - uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 + permissions: + contents: read + issues: write with: manual-commit-ref: ${{ inputs.manual-commit-ref }} manual-base-ref: ${{ inputs.manual-base-ref }} diff --git a/.github/workflows/__pull-request-ci.yml b/.github/workflows/__pull-request-ci.yml index e6271043..98f811ec 100644 --- a/.github/workflows/__pull-request-ci.yml +++ b/.github/workflows/__pull-request-ci.yml @@ -6,21 +6,22 @@ on: # yamllint disable-line rule:truthy pull_request: branches: [main] -permissions: - actions: read - contents: write - issues: read - packages: write - pull-requests: write - security-events: write - statuses: write - id-token: write - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: ci: uses: ./.github/workflows/__shared-ci.yml + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: write + security-events: write + statuses: write + id-token: write secrets: inherit diff --git a/.github/workflows/__semantic-pull-request.yml b/.github/workflows/__semantic-pull-request.yml index 67ec1ef9..be904c77 100644 --- a/.github/workflows/__semantic-pull-request.yml +++ b/.github/workflows/__semantic-pull-request.yml @@ -12,7 +12,7 @@ permissions: {} jobs: main: - uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 permissions: contents: write pull-requests: write diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml index e99386ca..331a082b 100644 --- a/.github/workflows/__shared-ci.yml +++ b/.github/workflows/__shared-ci.yml @@ -16,7 +16,7 @@ permissions: jobs: linter: - uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 test-action-docker-build-image: needs: linter diff --git a/.github/workflows/__stale.yml b/.github/workflows/__stale.yml index f6e7e5a4..fac0f87d 100644 --- a/.github/workflows/__stale.yml +++ b/.github/workflows/__stale.yml @@ -9,7 +9,7 @@ permissions: {} jobs: main: - uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 permissions: issues: write pull-requests: write diff --git a/.github/workflows/__test-action-docker-build-image.yml b/.github/workflows/__test-action-docker-build-image.yml index 3ccb764b..1c3e6b27 100644 --- a/.github/workflows/__test-action-docker-build-image.yml +++ b/.github/workflows/__test-action-docker-build-image.yml @@ -5,9 +5,7 @@ run-name: Test for "docker/build-image" action on: # yamllint disable-line rule:truthy workflow_call: -permissions: - contents: read - packages: write +permissions: {} # jscpd:ignore-start jobs: @@ -20,6 +18,8 @@ jobs: steps: - name: Arrange - Checkout uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - name: Arrange - Ensure token is set run: | @@ -177,6 +177,8 @@ jobs: steps: - name: Arrange - Checkout uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - name: Arrange - Ensure token is set run: | diff --git a/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml b/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml index 37c90083..156fc818 100644 --- a/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml +++ b/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml @@ -143,6 +143,8 @@ jobs: packages: write steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: @@ -250,6 +252,8 @@ jobs: if: always() steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - name: Delete test packages uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 diff --git a/.github/workflows/__test-action-get-image-metadata.yml b/.github/workflows/__test-action-get-image-metadata.yml index 56fd783c..6ed82dcd 100644 --- a/.github/workflows/__test-action-get-image-metadata.yml +++ b/.github/workflows/__test-action-get-image-metadata.yml @@ -5,15 +5,18 @@ run-name: Test for "docker/get-image-metadata" action on: # yamllint disable-line rule:truthy workflow_call: -permissions: - contents: read +permissions: {} jobs: tests: name: Test for "docker/get-image-metadata" action runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - name: Act id: get-image-metadata @@ -114,8 +117,12 @@ jobs: tests-with-given-tag: name: Test for "docker/get-image-metadata" action with given tag runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - name: Act id: get-image-metadata diff --git a/.github/workflows/__test-action-get-image-name.yml b/.github/workflows/__test-action-get-image-name.yml index b9979ce8..a135ec91 100644 --- a/.github/workflows/__test-action-get-image-name.yml +++ b/.github/workflows/__test-action-get-image-name.yml @@ -5,15 +5,18 @@ run-name: Test for "docker/get-image-name" action on: # yamllint disable-line rule:truthy workflow_call: -permissions: - contents: read +permissions: {} jobs: tests-with-implicit-repository: name: Test for "docker/get-image-name" action runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - id: get-image-name uses: ./actions/docker/get-image-name @@ -49,8 +52,12 @@ jobs: tests-with-given-repository: name: Test for "docker/get-image-name" action with given repository runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - id: get-image-name uses: ./actions/docker/get-image-name diff --git a/.github/workflows/__test-action-helm-parse-chart-uri.yml b/.github/workflows/__test-action-helm-parse-chart-uri.yml index bc09fdc8..4f4bf3f4 100644 --- a/.github/workflows/__test-action-helm-parse-chart-uri.yml +++ b/.github/workflows/__test-action-helm-parse-chart-uri.yml @@ -5,15 +5,18 @@ run-name: Test for "actions/helm/parse-chart-uri" action on: # yamllint disable-line rule:truthy workflow_call: -permissions: - contents: read +permissions: {} jobs: test: name: Test for "helm/parse-chart-uri" action runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - name: Act id: parse-chart-uri diff --git a/.github/workflows/__test-action-helm-release-chart.yml b/.github/workflows/__test-action-helm-release-chart.yml index c6b02195..c994105f 100644 --- a/.github/workflows/__test-action-helm-release-chart.yml +++ b/.github/workflows/__test-action-helm-release-chart.yml @@ -5,14 +5,15 @@ run-name: Test for "helm/release-chart" action on: # yamllint disable-line rule:truthy workflow_call: -permissions: - contents: read - packages: write +permissions: {} jobs: tests: name: Test for "helm/release-chart" action with simple chart runs-on: ubuntu-latest + permissions: + contents: read + packages: write strategy: fail-fast: false matrix: @@ -40,6 +41,8 @@ jobs: ] steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - run: | if [ -z "${{ github.token }}" ]; then diff --git a/.github/workflows/__test-action-helm-test-chart.yml b/.github/workflows/__test-action-helm-test-chart.yml index 38648bc9..8224ceba 100644 --- a/.github/workflows/__test-action-helm-test-chart.yml +++ b/.github/workflows/__test-action-helm-test-chart.yml @@ -36,6 +36,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - id: test-chart uses: ./actions/helm/test-chart diff --git a/.github/workflows/docker-build-images.yml b/.github/workflows/docker-build-images.yml index a151a9e1..7a81d350 100644 --- a/.github/workflows/docker-build-images.yml +++ b/.github/workflows/docker-build-images.yml @@ -347,7 +347,7 @@ jobs: # FIXME: This is a workaround for having workflow actions. See https://github.com/orgs/community/discussions/38659 id-token: write steps: - - uses: hoverkraft-tech/ci-github-common/actions/checkout@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + - uses: hoverkraft-tech/ci-github-common/actions/checkout@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 with: lfs: ${{ inputs.lfs }} @@ -360,6 +360,7 @@ jobs: uses: ChristopherHX/oidc@73eee1ff03fdfce10eda179f617131532209edbd # v3 - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: + persist-credentials: false path: ./self-workflow repository: ${{ steps.oidc.outputs.job_workflow_repo_name_and_owner }} ref: ${{ steps.oidc.outputs.job_workflow_repo_ref }} @@ -369,7 +370,7 @@ jobs: echo "self-workflow" >> .gitignore echo "self-workflow" >> .dockerignore - - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 + - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0 if: inputs.build-secret-github-app-id id: generate-token with: @@ -431,7 +432,7 @@ jobs: # FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix # https://github.com/orgs/community/discussions/26639 - - uses: hoverkraft-tech/ci-github-common/actions/set-matrix-output@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + - uses: hoverkraft-tech/ci-github-common/actions/set-matrix-output@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 with: artifact-name: ${{ needs.prepare-variables.outputs.artifact-name }} value: ${{ steps.build.outputs.built-image }} @@ -440,6 +441,7 @@ jobs: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 if: always() && steps.oidc.outputs.job_workflow_repo_name_and_owner with: + persist-credentials: false path: ./self-workflow repository: ${{ steps.oidc.outputs.job_workflow_repo_name_and_owner }} ref: ${{ steps.oidc.outputs.job_workflow_repo_ref }} @@ -459,7 +461,7 @@ jobs: built-images: ${{ steps.create-images-manifests.outputs.built-images }} steps: - id: get-matrix-outputs - uses: hoverkraft-tech/ci-github-common/actions/get-matrix-outputs@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + uses: hoverkraft-tech/ci-github-common/actions/get-matrix-outputs@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 with: artifact-name: ${{ needs.prepare-variables.outputs.artifact-name }} @@ -499,6 +501,7 @@ jobs: uses: ChristopherHX/oidc@73eee1ff03fdfce10eda179f617131532209edbd # v3 - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: + persist-credentials: false path: ./self-workflow repository: ${{ steps.oidc.outputs.job_workflow_repo_name_and_owner }} ref: ${{ steps.oidc.outputs.job_workflow_repo_ref }} diff --git a/.github/workflows/prune-pull-requests-images-tags.yml b/.github/workflows/prune-pull-requests-images-tags.yml index 2a04d755..3109b018 100644 --- a/.github/workflows/prune-pull-requests-images-tags.yml +++ b/.github/workflows/prune-pull-requests-images-tags.yml @@ -106,6 +106,7 @@ jobs: uses: ChristopherHX/oidc@73eee1ff03fdfce10eda179f617131532209edbd # v3 - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: + persist-credentials: false path: ./self-workflow repository: ${{ steps.oidc.outputs.job_workflow_repo_name_and_owner }} ref: ${{ steps.oidc.outputs.job_workflow_repo_ref }} diff --git a/actions/docker/build-image/action.yml b/actions/docker/build-image/action.yml index aa40145d..594ce8dc 100644 --- a/actions/docker/build-image/action.yml +++ b/actions/docker/build-image/action.yml @@ -142,7 +142,7 @@ runs: rm -fr ./self-actions - id: slugify-platform - uses: hoverkraft-tech/ci-github-common/actions/slugify@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + uses: hoverkraft-tech/ci-github-common/actions/slugify@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 with: value: ${{ inputs.platform }} diff --git a/actions/docker/get-image-metadata/action.yml b/actions/docker/get-image-metadata/action.yml index 9b829dd3..bcd23a5a 100644 --- a/actions/docker/get-image-metadata/action.yml +++ b/actions/docker/get-image-metadata/action.yml @@ -64,7 +64,7 @@ runs: - id: get-issue-number if: inputs.tag == '' && (github.event_name == 'pull_request' || github.event_name == 'pull_request_review' || github.event_name == 'issue_comment') - uses: hoverkraft-tech/ci-github-common/actions/get-issue-number@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + uses: hoverkraft-tech/ci-github-common/actions/get-issue-number@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 - id: define-metadata-inputs uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 diff --git a/actions/docker/prune-pull-requests-image-tags/action.yml b/actions/docker/prune-pull-requests-image-tags/action.yml index 6e21a462..f631a9fe 100644 --- a/actions/docker/prune-pull-requests-image-tags/action.yml +++ b/actions/docker/prune-pull-requests-image-tags/action.yml @@ -42,7 +42,7 @@ runs: image: ${{ inputs.image }} - id: is-organization-or-user - uses: hoverkraft-tech/ci-github-common/actions/repository-owner-is-organization@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + uses: hoverkraft-tech/ci-github-common/actions/repository-owner-is-organization@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 - id: get-tags-to-delete uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 diff --git a/actions/helm/generate-docs/action.yml b/actions/helm/generate-docs/action.yml index 4bd9cb4f..1e5a9a31 100644 --- a/actions/helm/generate-docs/action.yml +++ b/actions/helm/generate-docs/action.yml @@ -109,7 +109,7 @@ runs: } core.setOutput("textlint-config-path", textlintConfigPath); - - uses: hoverkraft-tech/ci-github-common/actions/checkout@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + - uses: hoverkraft-tech/ci-github-common/actions/checkout@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 - uses: losisin/helm-docs-github-action@a57fae5676e4c55a228ea654a1bcaec8dd3cf5b5 # v1.6.2 with: @@ -175,14 +175,14 @@ runs: VALUES_FILE: ${{ steps.prepare-variables.outputs.values-file || '' }} run: npx prettier --cache-location "$CACHE_PATH" --write "$(pwd)/**/*.md" $VALUES_FILE - - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 + - uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0 if: inputs.github-app-id id: generate-token with: app-id: ${{ inputs.github-app-id }} private-key: ${{ inputs.github-app-key }} - - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 with: github-token: ${{ steps.generate-token.outputs.token || inputs.github-token }} branch: docs/update-helm-chart-docs-${{ steps.prepare-variables.outputs.working-directory-name }} diff --git a/actions/helm/release-chart/action.yml b/actions/helm/release-chart/action.yml index d6965a90..08cd6276 100644 --- a/actions/helm/release-chart/action.yml +++ b/actions/helm/release-chart/action.yml @@ -76,7 +76,7 @@ outputs: runs: using: "composite" steps: - - uses: hoverkraft-tech/ci-github-common/actions/checkout@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + - uses: hoverkraft-tech/ci-github-common/actions/checkout@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 - id: chart-values-updates uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -175,7 +175,7 @@ runs: core.setOutput('yq-command', yqCommands.join('\n')); - - uses: mikefarah/yq@796317b885ae219215caa36e9bdacc87c9962c15 # v4.48.2 + - uses: mikefarah/yq@45be35c06387d692bb6bf689919919e0e32e796f # v4.49.1 with: cmd: | ${{ steps.chart-values-updates.outputs.yq-command }} diff --git a/actions/helm/test-chart/action.yml b/actions/helm/test-chart/action.yml index 94bfa8c2..55a3a874 100644 --- a/actions/helm/test-chart/action.yml +++ b/actions/helm/test-chart/action.yml @@ -72,7 +72,7 @@ runs: echo "::error ::At least one of 'enable-lint' or 'enable-install' input must be true" exit 1 - - uses: hoverkraft-tech/ci-github-common/actions/checkout@1127e708e4072515056a4b0d26bcb0653646cedc # 0.30.0 + - uses: hoverkraft-tech/ci-github-common/actions/checkout@5e8d0e6d1e76d8577a070db6d0128a91b1c9d5ad # 0.30.2 with: fetch-depth: 0