Skip to content

Commit 99b0260

Browse files
bobdanekstep-security-bot
bobdanek
and
step-security-bot
authored
[force merge] Apply StepSecurity and zizmor fixes (#199)
* [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot <[email protected]> * Apply remaining zizmor findings --------- Signed-off-by: StepSecurity Bot <[email protected]> Co-authored-by: StepSecurity Bot <[email protected]>
1 parent b1a9763 commit 99b0260

File tree

4 files changed

+19
-1
lines changed

4 files changed

+19
-1
lines changed

.github/workflows/golangci-lint.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ jobs:
1212
runs-on: ubuntu-latest
1313
steps:
1414
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
15+
with:
16+
persist-credentials: false
1517
- name: golangci-lint
1618
uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
1719
with:

.github/workflows/jsonnetfmt.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,16 @@ on:
44
branches:
55
- main
66
pull_request: {}
7+
permissions:
8+
contents: read
9+
710
jobs:
811
jsonnetfmt:
912
runs-on: ubuntu-latest
1013
steps:
1114
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
15+
with:
16+
persist-credentials: false
1217
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
1318
with:
1419
go-version-file: go.mod

.github/workflows/release.yml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,15 +4,22 @@ on:
44
push:
55
tags:
66
- '*'
7-
7+
permissions:
8+
contents: read
9+
810
jobs:
911
goreleaser:
12+
permissions:
13+
contents: write # for goreleaser/goreleaser-action to create a GitHub release
1014
runs-on: ubuntu-latest
1115
steps:
1216
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
17+
with:
18+
persist-credentials: false
1319
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
1420
with:
1521
go-version-file: go.mod
22+
cache: false
1623
- uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
1724
with:
1825
version: latest

.github/workflows/test.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,15 @@ on:
44
branches:
55
- main
66
pull_request: {}
7+
permissions:
8+
contents: read
79
jobs:
810
test:
911
runs-on: ubuntu-latest
1012
steps:
1113
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
14+
with:
15+
persist-credentials: false
1216
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
1317
with:
1418
go-version-file: go.mod

0 commit comments

Comments
 (0)