diff --git a/.github/workflows/prpush.yml b/.github/workflows/prpush.yml index dcaa728..8278d74 100644 --- a/.github/workflows/prpush.yml +++ b/.github/workflows/prpush.yml @@ -1,24 +1,32 @@ +name: ci + on: push: branches: - 'main' pull_request: -name: ci + +permissions: {} # lock everything by default (least-privilege) + jobs: staticcheck: runs-on: ubuntu-latest + permissions: + contents: read steps: - - name: checkout code - uses: actions/checkout@v4 + - name: Checkout code + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 + - name: install Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4.3.0 with: go-version: 1.21.x - name: gofmt run: if [[ -n $(gofmt -l .) ]]; then echo "please run gofmt"; exit 1; fi + - name: generated files should not be modified run: | go generate ./... @@ -31,8 +39,9 @@ jobs: run: | find . -type f -name '*.go' -exec sed -i 's/Code generated by .* DO NOT EDIT/FOO/g' {} \; # on macos: find . -type f -name '*.go' -exec sed -i '' -E 's/Code generated by .* DO NOT EDIT/FOO/g' {} \; + - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: version: v1.54 args: -v --timeout=5m @@ -40,19 +49,20 @@ jobs: test: runs-on: ubuntu-latest - permissions: - pull-requests: write + permissions: + contents: read steps: - name: checkout code - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - name: install Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4.3.0 with: go-version: 1.21.x # Install gotestfmt on the VM running the action. - name: Set up gotestfmt - uses: gotesttools/gotestfmt-action@v2 + uses: gotesttools/gotestfmt-action@7dd37bbcc925453b6d7465164cf3bcbd87bc691d # v2 with: # Optional: pass GITHUB_TOKEN to avoid rate limiting. token: ${{ secrets.GITHUB_TOKEN }} @@ -67,7 +77,7 @@ jobs: - name: Upload testdata if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: testdata path: ./lzss/testdata/fuzz diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml index 474d2a5..172ada1 100644 --- a/.github/workflows/security-code-scanner.yml +++ b/.github/workflows/security-code-scanner.yml @@ -15,9 +15,11 @@ on: required: false workflow_dispatch: +permissions: {} # lock everything by default (least-privilege) + jobs: security-scan: - uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2 + uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@ff5edd492dfd4a70813066fe9f1552a2ac13766f # v2.1.0 permissions: actions: read contents: read