From 2e676ee8be93bb04bafa6af0b098dab76b9e5fcf Mon Sep 17 00:00:00 2001 From: Michael McLoughlin Date: Tue, 27 Apr 2021 21:09:34 -0700 Subject: [PATCH 1/4] control github token permissions --- .github/workflows/ci.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9eb47c1..bcd2802 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -21,6 +24,8 @@ jobs: go-version: ${{ matrix.go-version }} - name: Checkout code uses: actions/checkout@v1 + with: + persist-credentials: false - name: Build run: go build ./... - name: Test @@ -41,6 +46,8 @@ jobs: echo ${{ runner.workspace }}/bin >> $GITHUB_PATH - name: Checkout code uses: actions/checkout@v1 + with: + persist-credentials: false - name: Bootstrap run: ./script/bootstrap - name: Lint From 9163fc555342600666f714b1abda27885ff3a8da Mon Sep 17 00:00:00 2001 From: Michael McLoughlin Date: Tue, 27 Apr 2021 21:14:59 -0700 Subject: [PATCH 2/4] pin action versions --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bcd2802..77f2cfd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,11 +19,11 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Install Go - uses: actions/setup-go@v1 + uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3 with: go-version: ${{ matrix.go-version }} - name: Checkout code - uses: actions/checkout@v1 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4 with: persist-credentials: false - name: Build @@ -31,7 +31,7 @@ jobs: - name: Test run: go test -coverprofile=coverage.out -covermode=count ./... - name: Upload Coverage - uses: codecov/codecov-action@v1.0.5 + uses: codecov/codecov-action@967e2b38a85a62bd61be5529ada27ebc109948c2 #v1.4.1 with: token: ${{ secrets.CODECOV_TOKEN }} file: coverage.out @@ -45,7 +45,7 @@ jobs: echo GOPATH=${{ runner.workspace }} >> $GITHUB_ENV echo ${{ runner.workspace }}/bin >> $GITHUB_PATH - name: Checkout code - uses: actions/checkout@v1 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4 with: persist-credentials: false - name: Bootstrap From ecdf6a72e72900d6d4815ca0b6fcb27c027b0b29 Mon Sep 17 00:00:00 2001 From: Michael McLoughlin Date: Tue, 27 Apr 2021 21:26:33 -0700 Subject: [PATCH 3/4] update other workflows --- .github/workflows/install.yml | 7 ++++++- .github/workflows/release.yml | 12 ++++++++---- .github/workflows/stress.yml | 11 ++++++++--- 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/.github/workflows/install.yml b/.github/workflows/install.yml index 0c9660a..a5bfad4 100644 --- a/.github/workflows/install.yml +++ b/.github/workflows/install.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -17,7 +20,9 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Checkout code - uses: actions/checkout@v1 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4 + with: + persist-credentials: false - name: Run Installer run: cat install.sh | sh -s -- -b ${{ runner.workspace }}/bin - name: Run Binary diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 768419c..a029eba 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,8 @@ name: release +permissions: + contents: write + on: push: tags: @@ -10,17 +13,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3 with: go-version: 1.16.x - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v2 + uses: goreleaser/goreleaser-action@5e15885530fb01d81d1f24e8a6f54ebbd0fed7eb # v2.5.0 with: - version: latest + version: v0.160.0 args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stress.yml b/.github/workflows/stress.yml index fc67445..023a220 100644 --- a/.github/workflows/stress.yml +++ b/.github/workflows/stress.yml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: schedule: - cron: "42 10 * * 3" @@ -12,7 +15,7 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Install Go - uses: actions/setup-go@v1 + uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3 with: go-version: ${{ matrix.go-version }} - name: Configure Go Environment @@ -20,13 +23,15 @@ jobs: echo GOPATH=${{ runner.workspace }} >> $GITHUB_ENV echo ${{ runner.workspace }}/bin >> $GITHUB_PATH - name: Checkout code - uses: actions/checkout@v1 + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4 + with: + persist-credentials: false - name: Bootstrap run: ./script/bootstrap - name: Stress Test run: ./script/stress -c coverage.out - name: Upload Coverage - uses: codecov/codecov-action@v1.0.5 + uses: codecov/codecov-action@967e2b38a85a62bd61be5529ada27ebc109948c2 #v1.4.1 with: token: ${{ secrets.CODECOV_TOKEN }} file: coverage.out From 63d4c3fe5bf1dc5e4a2f8a019c573c3b01fc6296 Mon Sep 17 00:00:00 2001 From: Michael McLoughlin Date: Tue, 27 Apr 2021 21:46:28 -0700 Subject: [PATCH 4/4] move name fields --- .github/workflows/ci.yml | 3 ++- .github/workflows/install.yml | 3 ++- .github/workflows/stress.yml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 77f2cfd..676d719 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,3 +1,5 @@ +name: ci + permissions: contents: read @@ -9,7 +11,6 @@ on: schedule: - cron: "33 11 * * 6" -name: ci jobs: test: strategy: diff --git a/.github/workflows/install.yml b/.github/workflows/install.yml index a5bfad4..d03828a 100644 --- a/.github/workflows/install.yml +++ b/.github/workflows/install.yml @@ -1,3 +1,5 @@ +name: install + permissions: contents: read @@ -11,7 +13,6 @@ on: schedule: - cron: "47 18 * * *" -name: install jobs: install: strategy: diff --git a/.github/workflows/stress.yml b/.github/workflows/stress.yml index 023a220..01f6198 100644 --- a/.github/workflows/stress.yml +++ b/.github/workflows/stress.yml @@ -1,3 +1,5 @@ +name: stress + permissions: contents: read @@ -5,7 +7,6 @@ on: schedule: - cron: "42 10 * * 3" -name: stress jobs: test: strategy: