From 2569b38747690032282b95a3074756aaf3349021 Mon Sep 17 00:00:00 2001 From: Forge Date: Thu, 28 May 2026 01:25:09 -0700 Subject: [PATCH] =?UTF-8?q?chore(Tasken):=20workflow=20hygiene=20=E2=80=94?= =?UTF-8?q?=20ubuntu-24.04,=20permissions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/auto-merge.yml | 5 ++++- .github/workflows/benchmarks.yml | 5 ++++- .github/workflows/cargo-audit.yml | 5 ++++- .github/workflows/cargo-deny.yml | 5 ++++- .github/workflows/cargo-machete.yml | 5 ++++- .github/workflows/cargo-semver-checks.yml | 5 ++++- .github/workflows/ci.yml | 7 +++++-- .github/workflows/codeql-rust.yml | 2 +- .github/workflows/codeql.yml | 2 +- .github/workflows/coverage.yml | 5 ++++- .github/workflows/journey-gate.yml | 7 +++++-- .github/workflows/pages-deploy.yml | 2 +- .github/workflows/pre-commit.yml | 5 ++++- .github/workflows/quality-gate.yml | 15 +++++++++------ .github/workflows/release.yml | 4 ++-- .github/workflows/sast.yml | 5 ++++- .github/workflows/scorecard.yml | 2 +- .github/workflows/security-guard.yml | 5 ++++- .github/workflows/security.yml | 8 ++++---- .github/workflows/trufflehog.yml | 5 ++++- 20 files changed, 73 insertions(+), 31 deletions(-) diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 4c54cb0..047d16e 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -1,4 +1,7 @@ name: Auto Merge +permissions: + contents: read + pull-requests: read on: pull_request: @@ -7,7 +10,7 @@ on: jobs: auto-merge: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 if: github.actor == 'dependabot[bot]' || github.actor == 'pre-commit-ci[bot]' steps: - name: Checkout diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index 3f5b5a7..a248dad 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -1,4 +1,7 @@ name: Benchmarks +permissions: + contents: read + pull-requests: read on: push: @@ -15,7 +18,7 @@ concurrency: jobs: benchmark: name: Run Benchmarks - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml index 0484f5c..f9f0e5e 100644 --- a/.github/workflows/cargo-audit.yml +++ b/.github/workflows/cargo-audit.yml @@ -1,4 +1,7 @@ name: cargo-audit +permissions: + contents: read + pull-requests: read on: push: @@ -12,7 +15,7 @@ on: jobs: audit: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 - uses: rustsec/audit-check@v2 diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml index b3795a0..5e12fe3 100644 --- a/.github/workflows/cargo-deny.yml +++ b/.github/workflows/cargo-deny.yml @@ -1,4 +1,7 @@ name: cargo-deny +permissions: + contents: read + pull-requests: read on: workflow_dispatch: @@ -17,7 +20,7 @@ on: jobs: cargo-deny: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c diff --git a/.github/workflows/cargo-machete.yml b/.github/workflows/cargo-machete.yml index 9e88aa0..4531526 100644 --- a/.github/workflows/cargo-machete.yml +++ b/.github/workflows/cargo-machete.yml @@ -1,4 +1,7 @@ name: cargo-machete +permissions: + contents: read + pull-requests: read on: push: { branches: [main], paths: ['Cargo.toml', '**/Cargo.toml'] } pull_request: { paths: ['Cargo.toml', '**/Cargo.toml'] } @@ -6,7 +9,7 @@ on: workflow_dispatch: jobs: machete: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 - uses: bnjbvr/cargo-machete@main diff --git a/.github/workflows/cargo-semver-checks.yml b/.github/workflows/cargo-semver-checks.yml index a1abac9..509df97 100644 --- a/.github/workflows/cargo-semver-checks.yml +++ b/.github/workflows/cargo-semver-checks.yml @@ -1,10 +1,13 @@ name: cargo-semver-checks +permissions: + contents: read + pull-requests: read on: pull_request: { paths: ['**/Cargo.toml'] } workflow_dispatch: jobs: semver-checks: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 - uses: obi1kenobi/cargo-semver-checks-action@v2 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 939cff5..96a6c46 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,7 @@ name: CI +permissions: + contents: read + pull-requests: read on: push: @@ -8,7 +11,7 @@ on: jobs: test: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 strategy: matrix: @@ -34,5 +37,5 @@ jobs: phenotype-validate: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 uses: KooshaPari/phenotypeActions/.github/workflows/validate-governance.yml@main diff --git a/.github/workflows/codeql-rust.yml b/.github/workflows/codeql-rust.yml index 60eb7d1..d2dc285 100644 --- a/.github/workflows/codeql-rust.yml +++ b/.github/workflows/codeql-rust.yml @@ -12,7 +12,7 @@ on: jobs: analyze: name: Analyze (rust) - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 360 permissions: actions: read diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4eb8918..087feec 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,7 +16,7 @@ permissions: jobs: analyze: name: Analyze Rust - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: actions: read contents: read diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index f948445..5c13c8e 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -1,8 +1,11 @@ name: Coverage +permissions: + contents: read + pull-requests: read on: [push, pull_request] jobs: coverage: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 - name: Run coverage diff --git a/.github/workflows/journey-gate.yml b/.github/workflows/journey-gate.yml index a9ffac9..673c820 100644 --- a/.github/workflows/journey-gate.yml +++ b/.github/workflows/journey-gate.yml @@ -1,4 +1,7 @@ # ============================================================================= +permissions: + contents: read + pull-requests: read # Journey Gate — Reusable Workflow # ============================================================================= # Canonical source: phenotype-infra/docs/governance/ci-journey-gate.yml @@ -50,7 +53,7 @@ env: jobs: journey-gate: name: Journey Verification - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 timeout-minutes: 15 steps: @@ -233,7 +236,7 @@ jobs: # -------------------------------------------------------------------------- stub-mode: name: Journey Gate — No Manifests Found - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 needs: journey-gate if: needs.journey-gate.result == 'failure' && needs.journey-gate.outputs.MANIFEST_COUNT == '0' steps: diff --git a/.github/workflows/pages-deploy.yml b/.github/workflows/pages-deploy.yml index 4bae86b..2a1f94b 100644 --- a/.github/workflows/pages-deploy.yml +++ b/.github/workflows/pages-deploy.yml @@ -8,7 +8,7 @@ on: jobs: deploy: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: contents: read pages: write diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 8d37b74..62bf000 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -1,4 +1,7 @@ name: Pre-commit Hooks +permissions: + contents: read + pull-requests: read on: push: @@ -8,7 +11,7 @@ on: jobs: pre-commit: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml index 03e0d25..db00229 100644 --- a/.github/workflows/quality-gate.yml +++ b/.github/workflows/quality-gate.yml @@ -1,4 +1,7 @@ name: Quality Gate +permissions: + contents: read + pull-requests: read on: pull_request: @@ -10,7 +13,7 @@ env: jobs: check-changes: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 outputs: has_tests: ${{ steps.check.outputs.has_tests }} has_e2e: ${{ steps.check.outputs.has_e2e }} @@ -30,7 +33,7 @@ jobs: unit-tests: name: Unit Tests - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 @@ -67,7 +70,7 @@ jobs: name: E2E Tests needs: check-changes if: needs.check-changes.outputs.has_e2e == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 @@ -84,7 +87,7 @@ jobs: name: Integration Tests needs: check-changes if: needs.check-changes.outputs.has_integration == 'true' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 @@ -99,7 +102,7 @@ jobs: fr-annotation-check: name: FR Annotation Check - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 with: @@ -137,7 +140,7 @@ jobs: name: Quality Report needs: [unit-tests, e2e-tests, integration-tests, fr-annotation-check] if: always() - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index be04441..0c10240 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ permissions: jobs: release: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 if: contains(github.event.head_commit.message, 'release:') || contains(github.event.head_commit.message, 'chore(release)') outputs: version: $123steps.version.outputs.version125 @@ -45,7 +45,7 @@ jobs: promote: needs: release - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 7df1c76..a29a726 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -1,4 +1,7 @@ name: Security (SAST) +permissions: + contents: read + pull-requests: read on: push: branches: [main, develop] @@ -6,7 +9,7 @@ on: schedule: [{cron: "0 2 * * *"}] jobs: codeql: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 - uses: github/codeql-action/init-action@v3 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 3283ada..10de6e4 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -11,7 +11,7 @@ permissions: read-all jobs: analysis: name: Scorecard analysis - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: security-events: write id-token: write diff --git a/.github/workflows/security-guard.yml b/.github/workflows/security-guard.yml index 20c8f75..605b939 100644 --- a/.github/workflows/security-guard.yml +++ b/.github/workflows/security-guard.yml @@ -1,4 +1,7 @@ name: Security Guard +permissions: + contents: read + pull-requests: read on: pull_request: @@ -8,7 +11,7 @@ on: jobs: security-guard: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 with: diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index b2c14db..88b2111 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -21,7 +21,7 @@ jobs: # Secret Scanning secrets: name: Secret Detection - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 @@ -37,7 +37,7 @@ jobs: # SAST Scanning sast: name: SAST Analysis - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: security-events: write steps: @@ -61,7 +61,7 @@ jobs: # Dependency Vulnerability Scanning dependencies: name: Dependency Audit - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 @@ -80,7 +80,7 @@ jobs: # Container Scanning (if Dockerfile exists) container: name: Container Scan - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 if: ${{ hashFiles('Dockerfile') != '' }} steps: - name: Checkout diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index 2b440b2..02e5492 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -1,4 +1,7 @@ name: Trufflehog Secrets Scan +permissions: + contents: read + pull-requests: read on: push: branches: [main] @@ -6,7 +9,7 @@ on: jobs: trufflehog: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: