diff --git a/.github/codeql.yml b/.github/codeql.yml new file mode 100644 index 00000000..30ba17f6 --- /dev/null +++ b/.github/codeql.yml @@ -0,0 +1,2 @@ +paths: +- "s3transfer/" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..ff97bc29 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,35 @@ +name: "CodeQL" + +on: + push: + branches: ["develop"] + pull_request: + branches: ["develop"] + schedule: + - cron: "0 0 * * 5" + +permissions: "read-all" + +jobs: + analyze: + name: "Analyze" + runs-on: "ubuntu-latest" + permissions: + actions: read + contents: read + security-events: write + steps: + - name: "Checkout repository" + uses: "actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3" + + - name: "Run CodeQL init" + uses: "github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a" + with: + config-file: "./.github/codeql.yml" + languages: "python" + + - name: "Run CodeQL autobuild" + uses: "github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a" + + - name: "Run CodeQL analyze" + uses: "github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a" diff --git a/.github/workflows/fail-master-prs.yml b/.github/workflows/fail-master-prs.yml index 671b81ed..e6ca087a 100644 --- a/.github/workflows/fail-master-prs.yml +++ b/.github/workflows/fail-master-prs.yml @@ -4,6 +4,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: fail: runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 01072688..b72beeb1 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -5,15 +5,18 @@ on: pull_request: branches-ignore: [ master ] +permissions: + contents: read + jobs: lint: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 - name: Set up Python 3.9 - uses: actions/setup-python@v2 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 with: python-version: 3.9 - name: Run pre-commit - uses: pre-commit/action@v2.0.0 + uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 diff --git a/.github/workflows/run-crt-test.yml b/.github/workflows/run-crt-test.yml index e9e2ac22..9c1ded80 100644 --- a/.github/workflows/run-crt-test.yml +++ b/.github/workflows/run-crt-test.yml @@ -15,9 +15,9 @@ jobs: python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 with: python-version: ${{ matrix.python-version }} - name: Install dependencies and CRT diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 0f71f2a6..12b39b8c 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -5,6 +5,9 @@ on: pull_request: branches-ignore: [ master ] +permissions: + contents: read + jobs: build: @@ -15,9 +18,9 @@ jobs: python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 with: python-version: ${{ matrix.python-version }} - name: Install dependencies @@ -27,6 +30,6 @@ jobs: run: | python scripts/ci/run-tests --with-cov - name: codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d with: directory: tests