diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a4d3f2..4fec746 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,31 +11,52 @@ env: GO111MODULE: on COVERALLS_TOKEN: ${{ secrets.COVERALLS_TOKEN }} +permissions: + contents: read + jobs: Build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-go@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1 with: go-version: ${{ env.go_version }} - run: make build Test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-go@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1 with: go-version: ${{ env.go_version }} - run: make test Lint: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-go@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1 with: go-version: ${{ env.go_version }} - - uses: golangci/golangci-lint-action@v3 + - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: version: latest args: --timeout 3m @@ -44,10 +65,15 @@ jobs: Check-License: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: version: latest - - uses: actions/setup-go@v3 + - uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1 with: go-version: ${{ env.go_version }} - run: make check-license @@ -55,10 +81,15 @@ jobs: Coverage: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: version: latest - - uses: actions/setup-go@v3 + - uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1 with: go-version: ${{ env.go_version }} - run: make coverage COVERALLS_TOKEN="$COVERALLS_TOKEN" @@ -66,7 +97,12 @@ jobs: Salus: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: version: latest - run: make salus @@ -74,7 +110,12 @@ jobs: Check-format: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: version: latest - run: make check-format \ No newline at end of file