diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index b187af225bd..5d93c66561c 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -1,6 +1,10 @@ name: checks on: [pull_request, workflow_dispatch] +permissions: + contents: read + checks: write + concurrency: cancel-in-progress: true group: ${{ github.workflow }}-${{ github.ref }} @@ -15,16 +19,16 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 with: go-version-file: go.mod - - uses: golangci/golangci-lint-action@v9 + - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9 with: version: v2.11.4 - - uses: megalinter/megalinter/flavors/go@v8.4.2 + - uses: oxsecurity/megalinter/flavors/go@ec124f7998718d79379a3c5b39f5359952baf21d # v8.4.2 env: DEFAULT_BRANCH: master GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -36,18 +40,18 @@ jobs: name: test-linux runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 - name: Set up QEMU - uses: docker/setup-qemu-action@v4 - - uses: actions/setup-go@v6 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4 + - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 with: go-version-file: go.mod - name: Run Tests run: go run gotest.tools/gotestsum@latest --junitfile unit-tests.xml --format pkgname -- -v -cover -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic -timeout 20m ./... - name: Test Summary - uses: test-summary/action@v2.4 + uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4 with: paths: 'unit-tests.xml' if: always() @@ -56,7 +60,7 @@ jobs: - name: Run act from cli without docker support run: go run -tags WITHOUT_DOCKER main.go -P ubuntu-latest=-self-hosted -C ./pkg/runner/testdata/ -W ./local-action-js/push.yml - name: Upload Codecov report - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5 with: files: coverage.txt fail_ci_if_error: true # optional (default = false) @@ -71,17 +75,17 @@ jobs: name: test-host-${{matrix.os}} runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 with: go-version-file: go.mod - name: Run Tests run: go run gotest.tools/gotestsum@latest --junitfile unit-tests.xml --format pkgname -- -v -cover -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic -timeout 20m -run ^TestRunEventHostEnvironment$ ./... shell: bash - name: Test Summary - uses: test-summary/action@v2.4 + uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4 with: paths: 'unit-tests.xml' if: always() @@ -90,84 +94,84 @@ jobs: name: snapshot runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 with: go-version-file: go.mod - name: GoReleaser - uses: goreleaser/goreleaser-action@v7 + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7 with: version: '~> v2' args: release --snapshot --clean - name: Capture x86_64 (64-bit) Linux binary if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: act-linux-amd64 path: dist/act_linux_amd64_v1/act - name: Capture i386 (32-bit) Linux binary if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: act-linux-i386 path: dist/act_linux_386/act - name: Capture arm64 (64-bit) Linux binary if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: act-linux-arm64 path: dist/act_linux_arm64/act - name: Capture armv6 (32-bit) Linux binary if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: act-linux-armv6 path: dist/act_linux_arm_6/act - name: Capture armv7 (32-bit) Linux binary if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: act-linux-armv7 path: dist/act_linux_arm_7/act - name: Capture riscv64 (64-bit) Linux binary if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: act-linux-riscv64 path: dist/act_linux_riscv64/act - name: Capture x86_64 (64-bit) Windows binary if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: act-windows-amd64 path: dist/act_windows_amd64_v1/act.exe - name: Capture i386 (32-bit) Windows binary if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: act-windows-i386 path: dist/act_windows_386/act.exe - name: Capture arm64 (64-bit) Windows binary if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: act-windows-arm64 path: dist/act_windows_arm64/act.exe - name: Capture armv7 (32-bit) Windows binary if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: act-windows-armv7 path: dist/act_windows_arm_7/act.exe - name: Capture x86_64 (64-bit) MacOS binary if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: act-macos-amd64 path: dist/act_darwin_amd64_v1/act - name: Capture arm64 (64-bit) MacOS binary if: ${{ !env.ACT }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: act-macos-arm64 path: dist/act_darwin_arm64/act diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2ef1b300cf8..0ae83df9309 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,21 +14,21 @@ jobs: runs-on: ubuntu-latest environment: release steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 with: go-version-file: go.mod - name: GoReleaser - uses: goreleaser/goreleaser-action@v7 + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7 with: version: '~> v2' args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Winget - uses: vedantmgoyal2009/winget-releaser@v2 + uses: vedantmgoyal9/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e # v2 with: identifier: nektos.act installers-regex: '_Windows_\w+\.zip$' @@ -40,7 +40,7 @@ jobs: apiKey: ${{ secrets.CHOCO_APIKEY }} push: true - name: GitHub CLI extension - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: github-token: ${{ secrets.GH_ACT_TOKEN }} script: |