kedacore
/
http-add-on
mirror of https://github.com/kedacore/http-add-on.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[StepSecurity] ci: Harden GitHub Actions (#1217) 

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
This commit is contained in:
StepSecurity Bot 2024-12-15 11:33:12 -08:00 committed by GitHub
parent dd40161cb0
commit 6a30f1842d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 29 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/auto-add-issues-to-project.yml vendored
View File

@ -3,6 +3,9 @@ on:
issues: issues:
types: types:
- opened - opened
permissions:
contents: read
jobs: jobs:
track_issue: track_issue:
runs-on: ubuntu-latest runs-on: ubuntu-latest

5
.github/workflows/build_canary.yml vendored
View File

@ -5,6 +5,9 @@ on:
branches: [ main ] branches: [ main ]
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
build: build:
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
@ -40,7 +43,7 @@ jobs:
# https://github.com/sigstore/cosign-installer # https://github.com/sigstore/cosign-installer
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@v3 uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Check Cosign install! - name: Check Cosign install!
run: cosign version run: cosign version

5
.github/workflows/build_release.yml vendored
View File

@ -4,6 +4,9 @@ on:
push: push:
tags: ["v[0-9].[0-9].[0-9]"] tags: ["v[0-9].[0-9].[0-9]"]
permissions:
contents: read
jobs: jobs:
build: build:
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
@ -49,7 +52,7 @@ jobs:
# https://github.com/sigstore/cosign-installer # https://github.com/sigstore/cosign-installer
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@v3 uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Check Cosign install! - name: Check Cosign install!
run: cosign version run: cosign version

3
.github/workflows/e2e-tests.yaml vendored
View File

@ -9,6 +9,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
e2e_tests: e2e_tests:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/images.yaml vendored
View File

@ -7,6 +7,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
build_scaler: build_scaler:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/linkinator.yaml vendored
View File

@ -9,6 +9,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
linkinator: linkinator:
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04

12
.github/workflows/tests.yaml vendored
View File

@ -9,6 +9,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
validate: validate:
name: validate - ${{ matrix.name }} name: validate - ${{ matrix.name }}
@ -67,13 +70,16 @@ jobs:
run: ARCH=${{ matrix.name }} make test run: ARCH=${{ matrix.name }} make test
statics: statics:
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
name: Static Checks name: Static Checks
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@v5 - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with: with:
go-version: "1.23" go-version: "1.23"
- uses: golangci/golangci-lint-action@v6 - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
with: with:
version: v1.60 version: v1.60