Home Esplora Aiuto
Accedi
CityApper
/
dulwich
mirror da https://github.com/jelmer/dulwich
2
0
Forka 0
File Problemi 0 Wiki
Sfoglia il codice sorgente

ci: pin GitHub Actions to specific versions and set appropriate permissions

Jelmer Vernooij 4 mesi fa
parent
e32d8b3dc2
commit
683adb70c4
5 ha cambiato i file con 42 aggiunte e 28 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 5 3
      .github/workflows/auto-merge.yml
  2. 5 2
      .github/workflows/disperse.yml
  3. 5 2
      .github/workflows/docs.yml
  4. 22 19
      .github/workflows/python-distributions.yml
  5. 5 2
      .github/workflows/pythontest.yml

+ 5 - 3
.github/workflows/auto-merge.yml
Vedi File 

@@ -2,17 +2,19 @@ name: Dependabot auto-merge
 
 on: pull_request_target
 
 
 permissions:
 
-  pull-requests: write
 
-  contents: write
 
+  contents: read
 
 
 jobs:
 
   dependabot:
 
     runs-on: ubuntu-latest
 
     if: ${{ github.actor == 'dependabot[bot]' }}
 
+    permissions:
 
+      pull-requests: write
 
+      contents: write
 
     steps:
 
       - name: Dependabot metadata
 
         id: metadata
 
-        uses: dependabot/fetch-metadata@v2
 
+        uses: dependabot/fetch-metadata@v2.2.0
 
         with:
 
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Enable auto-merge for Dependabot PRs

+ 5 - 2
.github/workflows/disperse.yml
Vedi File 

@@ -5,11 +5,14 @@ name: Disperse configuration
 
   push:
 
     branches: [ main, master ]
 
 
+permissions:
 
+  contents: read
 
+
 
 jobs:
 
   build:
 
 
     runs-on: ubuntu-latest
 
 
     steps:
 
-      - uses: actions/checkout@v5
 
-      - uses: jelmer/action-disperse-validate@v2
 
+      - uses: actions/checkout@v5.0.0
 
+      - uses: jelmer/action-disperse-validate@v2.0.0

+ 5 - 2
.github/workflows/docs.yml
Vedi File 

@@ -8,14 +8,17 @@ name: API Docs
 
   schedule:
 
     - cron: "0 6 * * *"  # Daily 6AM UTC build
 
 
+permissions:
 
+  contents: read
 
+
 
 jobs:
 
   apidocs:
 
     runs-on: ubuntu-latest
 
 
     steps:
 
-      - uses: actions/checkout@v5
 
+      - uses: actions/checkout@v5.0.0
 
       - name: Set up Python
 
-        uses: actions/setup-python@v5
 
+        uses: actions/setup-python@v5.3.0
 
         with:
 
           python-version: "3.13"
 
       - name: Install pydoctor

+ 22 - 19
.github/workflows/python-distributions.yml
Vedi File 

@@ -9,6 +9,9 @@ on:
 
   schedule:
 
     - cron: "0 6 * * *" # Daily 6AM UTC build
 
 
+permissions:
 
+  contents: read
 
+
 
 jobs:
 
   define-matrix:
 
     runs-on: ubuntu-latest
 
@@ -16,8 +19,8 @@ jobs:
 
       matrix: ${{ steps.merged-identifiers.outputs.merged-identifiers }}
 
 
     steps:
 
-      - uses: actions/checkout@v5
 
-      - uses: actions/setup-python@v5
 
+      - uses: actions/checkout@v5.0.0
 
+      - uses: actions/setup-python@v5.3.0
 
         with:
 
           python-version: 3.x
 
           cache: pip
 
@@ -63,8 +66,8 @@ jobs:
 
       fail-fast: true
 
 
     steps:
 
-      - uses: actions/checkout@v5
 
-      - uses: actions/setup-python@v5
 
+      - uses: actions/checkout@v5.0.0
 
+      - uses: actions/setup-python@v5.3.0
 
         with:
 
           cache: pip
 
       - name: Install dependencies
 
@@ -72,14 +75,14 @@ jobs:
 
           python -m pip install --upgrade pip
 
           pip install setuptools wheel cibuildwheel setuptools-rust
 
       - name: Set up QEMU
 
-        uses: docker/setup-qemu-action@v3
 
+        uses: docker/setup-qemu-action@v3.2.0
 
         if: "matrix.os == 'ubuntu-latest'"
 
       - name: Build wheels
 
         run: python -m cibuildwheel --output-dir wheelhouse
 
         env:
 
           CIBW_BUILD: "${{ matrix.build-identifier }}*"
 
       - name: Upload wheels
 
-        uses: actions/upload-artifact@v4
 
+        uses: actions/upload-artifact@v4.5.0
 
         with:
 
           name: artifact-${{ matrix.build-identifier }}
 
           path: ./wheelhouse/*.whl
 
@@ -87,8 +90,8 @@ jobs:
 
   build-android-wheels:
 
     runs-on: ubuntu-latest
 
     steps:
 
-      - uses: actions/checkout@v5
 
-      - uses: actions/setup-python@v5
 
+      - uses: actions/checkout@v5.0.0
 
+      - uses: actions/setup-python@v5.3.0
 
         with:
 
           cache: pip
 
       - name: Install dependencies
 
@@ -101,7 +104,7 @@ jobs:
 
           CIBW_PLATFORM: android
 
           CIBW_ARCHS_ANDROID: arm64_v8a x86_64
 
       - name: Upload Android wheels
 
-        uses: actions/upload-artifact@v4
 
+        uses: actions/upload-artifact@v4.5.0
 
         with:
 
           name: artifact-android
 
           path: ./wheelhouse/*.whl
 
@@ -109,14 +112,14 @@ jobs:
 
   build-pure-wheels:
 
     runs-on: ubuntu-latest
 
     steps:
 
-      - uses: actions/checkout@v5
 
-      - uses: actions/setup-python@v5
 
+      - uses: actions/checkout@v5.0.0
 
+      - uses: actions/setup-python@v5.3.0
 
         with:
 
           cache: pip
 
       - run: pip install build
 
       - run: PURE=true python -m build --wheel
 
       - name: Upload pure wheels
 
-        uses: actions/upload-artifact@v4
 
+        uses: actions/upload-artifact@v4.5.0
 
         with:
 
           name: artifact-pure
 
           path: ./dist/*.whl
 
@@ -124,8 +127,8 @@ jobs:
 
   build-sdist:
 
     runs-on: ubuntu-latest
 
     steps:
 
-      - uses: actions/checkout@v5
 
-      - uses: actions/setup-python@v5
 
+      - uses: actions/checkout@v5.0.0
 
+      - uses: actions/setup-python@v5.3.0
 
         with:
 
           cache: pip
 
       - name: Install dependencies
 
@@ -135,7 +138,7 @@ jobs:
 
       - name: Build sdist
 
         run: python -m build --sdist
 
       - name: Upload sdist
 
-        uses: actions/upload-artifact@v4
 
+        uses: actions/upload-artifact@v4.5.0
 
         with:
 
           name: artifact-source
 
           path: ./dist/*.tar.gz
 
@@ -145,7 +148,7 @@ jobs:
 
       - build-sdist
 
     runs-on: ubuntu-latest
 
     steps:
 
-      - uses: actions/setup-python@v5
 
+      - uses: actions/setup-python@v5.3.0
 
         with:
 
           cache: pip
 
       - name: Install dependencies
 
@@ -155,7 +158,7 @@ jobs:
 
           # See https://github.com/pypa/twine/issues/1216
 
           pip install "twine>=6.1.0" "packaging>=24.2"
 
       - name: Download sdist
 
-        uses: actions/download-artifact@v5
 
+        uses: actions/download-artifact@v5.0.0
 
         with:
 
           name: artifact-source
 
           path: dist
 
@@ -179,10 +182,10 @@ jobs:
 
       url: https://pypi.org/p/dulwich
 
     steps:
 
       - name: Download distributions
 
-        uses: actions/download-artifact@v5
 
+        uses: actions/download-artifact@v5.0.0
 
         with:
 
           merge-multiple: true
 
           pattern: artifact-*
 
           path: dist
 
       - name: Publish package distributions to PyPI
 
-        uses: pypa/gh-action-pypi-publish@release/v1
 
+        uses: pypa/gh-action-pypi-publish@v1.10.4

+ 5 - 2
.github/workflows/pythontest.yml
Vedi File 

@@ -7,6 +7,9 @@ on:
 
   schedule:
 
     - cron: "0 6 * * *" # Daily 6AM UTC build
 
 
+permissions:
 
+  contents: read
 
+
 
 jobs:
 
   test:
 
     runs-on: ${{ matrix.os }}
 
@@ -18,9 +21,9 @@ jobs:
 
       fail-fast: false
 
 
     steps:
 
-      - uses: actions/checkout@v5
 
+      - uses: actions/checkout@v5.0.0
 
       - name: Set up Python ${{ matrix.python-version }}
 
-        uses: actions/setup-python@v5
 
+        uses: actions/setup-python@v5.3.0
 
         with:
 
           python-version: ${{ matrix.python-version }}
 
           allow-prereleases: true