chore: update GitHub workflows with permissions

ironman0x7b2 · ironman0x7b2 · commit 2177c491edf4 · 2025-09-12T11:10:50.000+05:30
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,4 +1,4 @@
-name: "CodeQL Analysis"
+name: "CodeQL"
 
 on:
   schedule:
@@ -7,29 +7,34 @@ on:
 
 jobs:
   analyze:
-    name: CodeQL Analyze
+    name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
-
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
     strategy:
       fail-fast: false
       matrix:
-        languages:
-          - go
+        include:
+          - language: actions
+            build-mode: none
+          - language: go
+            build-mode: autobuild
 
     steps:
-      - name: Checkout Repository
+      - name: Checkout repository
         uses: actions/checkout@v5
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
-          languages: ${{ matrix.languages }}
-          queries: security-extended, security-and-quality
-
-      - name: Autobuild Project
-        uses: github/codeql-action/autobuild@v3
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: security-extended,security-and-quality
 
-      - name: Run CodeQL Analysis
+      - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
         with:
-          category: /language:${{ matrix.languages }}
+          category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,12 +8,15 @@ on:
 jobs:
   artifacts:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v5
 
       - name: Build and Tag Docker Image
-        run: docker build --compress --file Dockerfile --force-rm --tag sentinel-official/sentinelhub .
+        run: make build-image
 
       - name: Extract Binary from Docker Image
         run: |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,32 +8,35 @@ on:
       - master
 
 jobs:
-  run:
+  go:
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    permissions:
+      contents: read
+    timeout-minutes: 5
+
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v5
 
       - name: Set Up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.25'
 
       - name: Generate Coverage Report
         run: |
           make test-coverage
-          filepaths=""
-          filepaths+=" $(find ./ -type f -name '*.go' -exec grep -l 'DO NOT COVER' {} \;)"
-          filepaths+=" $(find ./ -type f -name '*.pb.go')"
-          filepaths+=" $(find ./ -type f -name '*.pb.gw.go')"
-          filepaths+=" $(find ./ -type f -path '*/client/cli/*')"
-          filepaths+=" $(find ./ -type f -path '*/expected/*')"
-          filepaths+=" $(find ./ -type f -path '*/services/*')"
-          for filepath in ${filepaths}; do
-            filepath=$(echo "${filepath}" | sed 's@^.@github.com/sentinel-official/sentinelhub/v[0-9]*@g')
-            echo "Excluding file ${filepath} from coverage report..."
-            sed -i "/$(echo "${filepath}" | sed 's@/@\\/@g')/d" ./coverage.txt
+          files=""
+          files+=" $(find ./ -type f -name '*.go' -exec grep -l 'DO NOT COVER' {} \;)"
+          files+=" $(find ./ -type f -name '*.pb.go')"
+          files+=" $(find ./ -type f -name '*.pb.gw.go')"
+          files+=" $(find ./ -type f -path '*/client/cli/*')"
+          files+=" $(find ./ -type f -path '*/expected/*')"
+          files+=" $(find ./ -type f -path '*/services/*')"
+          for f in ${files}; do
+            f=$(echo "${f}" | sed 's@^.@github.com/sentinel-official/sentinelhub/v[0-9]*@g')
+            echo "Excluding file ${f} from coverage report..."
+            sed -i "/$(echo "${f}" | sed 's@/@\\/@g')/d" ./coverage.txt
           done
 
       - name: Upload Coverage to Codecov
