ci: upgrade github actions

Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>
hoverkraft-tech · Apr 2, 2024 · 7f6c287 · 7f6c287
1 parent 14fb439
commit 7f6c287
Show file tree

Hide file tree

Showing 10 changed files with 62 additions and 13 deletions.
diff --git a/.github/workflows/__check-action.yml b/.github/workflows/__check-action.yml
@@ -3,6 +3,9 @@ name: Internal - Tests for action
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   test-action-with-services:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/__check-dist.yml b/.github/workflows/__check-dist.yml
@@ -3,6 +3,9 @@ name: Internal - Checks for dist
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   check-dist:
     name: Check dist

diff --git a/.github/workflows/__check-nodejs.yml b/.github/workflows/__check-nodejs.yml
@@ -3,6 +3,11 @@ name: Internal - Checks for nodejs
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  security-events: write
+  id-token: write
+
 jobs:
   test-nodejs:
     uses: hoverkraft-tech/ci-github-nodejs/.github/workflows/continuous-integration.yml@0.4.2

diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml
@@ -3,9 +3,14 @@ name: Common Continuous Integration tasks
 on:
   workflow_call:
 
+permissions:
+  contents: read
+  packages: read
+  statuses: write
+
 jobs:
   linter:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@feat/linter-extra-env-input
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@0.13.0
     with:
       linter-env: |
         FILTER_REGEX_EXCLUDE=dist/**/*

diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml
@@ -0,0 +1,14 @@
+name: Greetings
+
+on:
+  issues:
+    types: [opened]
+  pull_request_target:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  greetings:
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@0.13.0
diff --git a/.github/workflows/main-ci.yml b/.github/workflows/main-ci.yml
@@ -3,7 +3,12 @@ name: Internal - Main - Continuous Integration
 on:
   push:
     branches: [main]
-    tags: ['*']
+    tags: ["*"]
+
+permissions:
+  contents: read
+  packages: read
+  statuses: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -30,11 +35,11 @@ jobs:
           app-id: ${{ vars.CI_BOT_APP_ID }}
           private-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
 
-      - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@main
+      - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@0.13.0
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           branch: docs/actions-workflows-documentation-update
-          title: 'docs: update actions and workflows documentation'
+          title: "docs: update actions and workflows documentation"
           body: Update actions and workflows documentation
           commit-message: |
             docs: update actions and workflows documentation

diff --git a/.github/workflows/need-fix-to-issue.yml b/.github/workflows/need-fix-to-issue.yml
@@ -6,18 +6,21 @@ on:
       - main
   workflow_dispatch:
     inputs:
+      #checkov:skip=CKV_GHA_7: required
       manual-commit-ref:
-        description: 'The SHA of the commit to get the diff for'
+        description: "The SHA of the commit to get the diff for"
         required: true
       manual-base-ref:
-        description:
-          'By default, the commit entered above is compared to the one directly
-          before it; to go back further, enter an earlier SHA here'
+        description: "By default, the commit entered above is compared to the one directly
+          before it; to go back further, enter an earlier SHA here"
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@0.12.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@0.13.0
     with:
       manual-commit-ref: ${{ inputs.manual-commit-ref }}
       manual-base-ref: ${{ inputs.manual-base-ref }}
diff --git a/.github/workflows/pull-request-ci.yml b/.github/workflows/pull-request-ci.yml
@@ -5,6 +5,11 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+  packages: read
+  statuses: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true

diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml
@@ -1,4 +1,4 @@
-name: 'Pull Request - Semantic Lint'
+name: "Pull Request - Semantic Lint"
 
 on:
   pull_request_target:
@@ -7,6 +7,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@0.12.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@0.13.0
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -2,8 +2,11 @@ name: Mark stale issues and pull requests
 
 on:
   schedule:
-    - cron: '30 1 * * *'
+    - cron: "30 1 * * *"
+
+permissions:
+  contents: read
 
 jobs:
   main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@0.12.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@0.13.0