diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8fb10535..e269686b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,31 +11,52 @@ env: GO111MODULE: on COVERALLS_TOKEN: ${{ secrets.COVERALLS_TOKEN }} +permissions: + contents: read + jobs: Build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-go@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1 with: go-version: ${{ env.go_version }} - run: make build Test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-go@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1 with: go-version: ${{ env.go_version }} - run: make test Lint: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-go@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1 with: go-version: ${{ env.go_version }} - - uses: golangci/golangci-lint-action@v3 + - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: version: latest args: --timeout 3m @@ -43,10 +64,15 @@ jobs: Check-License: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: version: latest - - uses: actions/setup-go@v3 + - uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1 with: go-version: ${{ env.go_version }} - run: make check-license @@ -54,7 +80,12 @@ jobs: Check-format: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: version: latest - run: make check-format @@ -62,10 +93,15 @@ jobs: Coverage: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: version: latest - - uses: actions/setup-go@v3 + - uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1 with: go-version: ${{ env.go_version }} - run: make test-cover COVERALLS_TOKEN="$COVERALLS_TOKEN" @@ -73,7 +109,7 @@ jobs: # Salus: # runs-on: ubuntu-latest # steps: - # - uses: actions/checkout@v3 + # - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # with: # version: latest # - run: make salus