diff --git a/.github/workflows/ansible-ci.yml b/.github/workflows/ansible-ci.yml index ff88c92..7b9d63b 100644 --- a/.github/workflows/ansible-ci.yml +++ b/.github/workflows/ansible-ci.yml @@ -17,15 +17,19 @@ env: ANSIBLE_GALAXY_SERVER_GALAXY_TIMEOUT: 120 ANSIBLE_GALAXY_SERVER_LIST: "galaxy" +permissions: {} + jobs: ansible-lint: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Ansible lint - uses: ansible/ansible-lint@v25.12.2 + uses: ansible/ansible-lint@a2bc8b8b13a80802215856c56823d85007d3baf5 # v25.12.2 with: requirements_file: test-requirements.yml diff --git a/.github/workflows/ansible-documentation-release.yml b/.github/workflows/ansible-documentation-release.yml index 24945bf..4b1cd6c 100644 --- a/.github/workflows/ansible-documentation-release.yml +++ b/.github/workflows/ansible-documentation-release.yml @@ -15,7 +15,7 @@ jobs: permissions: contents: read name: build - uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@main + uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: collection-name: hachyderm.general init-project: Hachyderm General Collection @@ -38,7 +38,7 @@ jobs: needs: - build name: publish - uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main + uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: artifact-name: ${{ needs.build.outputs.artifact-name }} publish-gh-pages-branch: true diff --git a/.github/workflows/ansible-documentation.yml b/.github/workflows/ansible-documentation.yml index bfd04f2..1f230c5 100644 --- a/.github/workflows/ansible-documentation.yml +++ b/.github/workflows/ansible-documentation.yml @@ -11,6 +11,8 @@ on: - synchronize - closed +permissions: {} + jobs: # Validation job runs a strict build to ensure it will fail CI on any mistakes. validate: @@ -18,7 +20,7 @@ jobs: contents: read name: validate if: github.event.action != 'closed' - uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@main + uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: collection-name: hachyderm.general artifact-upload: false @@ -33,10 +35,12 @@ jobs: if: github.event.action != 'closed' steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.13" @@ -77,7 +81,7 @@ jobs: - validate - docsmith name: build - uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-pr.yml@main + uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-pr.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: collection-name: hachyderm.general init-project: Hachyderm General Collection @@ -100,7 +104,7 @@ jobs: needs: - build name: publish PR preview - uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main + uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: artifact-name: ${{ needs.build.outputs.artifact-name }} action: publish @@ -118,7 +122,7 @@ jobs: name: comment steps: - name: PR comment - uses: ansible-community/github-docs-build/actions/ansible-docs-build-comment@main + uses: ansible-community/github-docs-build/actions/ansible-docs-build-comment@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: body-includes: '## Docs Build' reactions: heart @@ -159,7 +163,7 @@ jobs: pages: write id-token: write name: cleanup PR preview - uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main + uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: artifact-name: ${{ needs.build.outputs.artifact-name }} action: teardown diff --git a/.github/workflows/ansible-galaxy.yml b/.github/workflows/ansible-galaxy.yml index 4cb99b1..3de6a6e 100644 --- a/.github/workflows/ansible-galaxy.yml +++ b/.github/workflows/ansible-galaxy.yml @@ -17,15 +17,19 @@ env: ANSIBLE_GALAXY_SERVER_LIST: "galaxy" ANSIBLE_GALAXY_SERVER_GALAXY_TOKEN: "${{ secrets.ANSIBLE_GALAXY_TOKEN }}" +permissions: {} + jobs: ansible-galaxy: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.13" @@ -47,7 +51,7 @@ jobs: namespace=$(yq -r ".namespace" < galaxy.yml) name=$(yq -r ".name" < galaxy.yml) version=$(yq -r ".version" < galaxy.yml) - tag=$(echo ${{ github.ref }} | sed 's,refs/tags/,,g') + tag=$(echo ${GITHUB_REF} | sed 's,refs/tags/,,g') if [ "${tag}" != "${version}" ] ; then echo "The version of the collection (${version}) is different than the tag (${tag})" exit 1 diff --git a/.github/workflows/ansible-sanity.yml b/.github/workflows/ansible-sanity.yml index e9f9f38..8b02941 100644 --- a/.github/workflows/ansible-sanity.yml +++ b/.github/workflows/ansible-sanity.yml @@ -11,7 +11,9 @@ jobs: ansible-versions: ${{ steps.list-ansible-versions.outputs.ansible-versions }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: List Ansible versions id: list-ansible-versions @@ -32,7 +34,7 @@ jobs: needs.define-versions.outputs.ansible-versions != '' steps: - name: Perform sanity test with ansible-test - uses: ansible-community/ansible-test-gh-action@v1.17.0 + uses: ansible-community/ansible-test-gh-action@d3a8ec7a59694e25e210fcd44738910149537f0e # v1.17.0 with: ansible-core-version: stable-${{ matrix.ansible-version }} testing-type: sanity diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index fedabf3..87938c8 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -17,7 +17,9 @@ jobs: roles: ${{ steps.list-roles.outputs.roles }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: List Ansible versions id: list-ansible-versions @@ -47,10 +49,12 @@ jobs: needs.define-versions.outputs.roles != '' steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ inputs.python-version }} @@ -59,7 +63,9 @@ jobs: python -m pip install --upgrade pip pip install \ molecule==25.12.0 \ - ansible-core~=${{ matrix.ansible-version }}.0 + ansible-core~=${ANSIBLE_VERSION}.0 + env: + ANSIBLE_VERSION: ${{ matrix.ansible-version }} - name: Install dependencies working-directory: ./roles/${{ matrix.role }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..aa8259d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,24 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3