ci(github): run security actions on schedule and fix issues (#8787)

The goal is to minimize the number of runners required to reduce queueing on github workers Signed-off-by: Charly Molter <[email protected]>
kumahq · Jan 9, 2024 · 094b27a · 094b27a
1 parent 3eea93b
commit 094b27a
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 38 deletions.
diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml
@@ -30,9 +30,7 @@ jobs:
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: go.mod
-          cache-dependency-path: |
-            .run-full-matrix
-            go.sum
+          cache: false
       - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: |
@@ -42,6 +40,10 @@ jobs:
             ${{ runner.os }}-${{ runner.arch }}-devtools
       - run: |
           make dev/tools
+      - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+        with:
+          args: --fix=false --verbose
+          version: v1.54.1
       - run: |
           make clean
       - run: |

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -1,7 +1,8 @@
 name: "CodeQL"
 on:
-  push:
-    branches: ["master"]
+  workflow_dispatch: {}
+  schedule:
+    - cron: '35 3 * * *'
 permissions:
   contents: read
 jobs:

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -3,12 +3,11 @@ on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   branch_protection_rule:
+  workflow_dispatch: {}
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: '35 3 * * 1'
-  push:
-    branches: ["master"]
+    - cron: '35 3 * * *'
 # Declare default permissions as read only.
 permissions: read-all
 jobs:

diff --git a/.github/workflows/update-insecure-dependencies.yaml b/.github/workflows/update-insecure-dependencies.yaml
@@ -3,6 +3,7 @@ on:
   workflow_dispatch: {}
   schedule:
     - cron: 0 3 * * *
+permissions: read-all
 jobs:
   build-matrix:
     runs-on: ubuntu-latest
@@ -29,12 +30,6 @@ jobs:
         uses: pierotofy/set-swap-space@49819abfb41bd9b44fb781159c033dba90353a7c
         with:
           swap-size-gb: 10
-      - name: Generate GitHub app token
-        id: github-app-token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
-        with:
-          app_id: ${{ secrets.APP_ID }}
-          private_key: ${{ secrets.APP_PRIVATE_KEY }}
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ matrix.branch }}
@@ -43,7 +38,7 @@ jobs:
           go-version-file: go.mod
       - name: "Install tools"
         run: |
-          go install github.com/google/osv-scanner/cmd/osv-scanner@v1
+          go install github.com/google/osv-scanner/cmd/osv-scanner@060799ca816dfa40afa05e48c895c0c9fd79b90b
       - name: "Prepare commit body - before"
         id: prepare_commit_body_before
         run: |
@@ -62,6 +57,12 @@ jobs:
           echo "SCAN_OUTPUT_AFTER<<EOF" >> $GITHUB_ENV
           echo "$SCAN_OUTPUT_AFTER" >> $GITHUB_ENV
           echo "EOF" >> $GITHUB_ENV
+      - name: Generate GitHub app token
+        id: github-app-token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
       - name: "Create Pull Request"
         uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
         with: