From 3bf3cd76301dcb1dd7accefd601674e66372a3ab Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Wed, 30 Nov 2022 04:26:50 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/coverage.yml | 7 +++++-- .github/workflows/lint.yml | 7 +++++-- .github/workflows/test.yml | 7 +++++-- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index cf11c9be5..53a5fd38d 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -2,12 +2,15 @@ name: coverage on: [push, pull_request] +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: ruby/setup-ruby@v1 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + - uses: ruby/setup-ruby@c7079efafd956afb5d823e8999c2506e1053aefa # v1.126.0 with: ruby-version: '3.0' - name: Install dependencies diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 762042e9b..9e61fb2dd 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,13 +2,16 @@ name: lint on: [push, pull_request] +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: lint: runs-on: ubuntu-latest continue-on-error: true steps: - - uses: actions/checkout@v3 - - uses: ruby/setup-ruby@v1 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + - uses: ruby/setup-ruby@c7079efafd956afb5d823e8999c2506e1053aefa # v1.126.0 with: ruby-version: '3.0' bundler-cache: true diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 48df02b7c..0be5d4dee 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,9 @@ name: test on: [push, pull_request] +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: test: runs-on: ${{ matrix.os }} @@ -17,8 +20,8 @@ jobs: - os: windows-latest ruby: jruby steps: - - uses: actions/checkout@v3 - - uses: ruby/setup-ruby@v1 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + - uses: ruby/setup-ruby@c7079efafd956afb5d823e8999c2506e1053aefa # v1.126.0 with: ruby-version: ${{ matrix.ruby }} - name: Install dependencies