From caf3a14a035aa383229ce5f6ae3d3eec34b67cd7 Mon Sep 17 00:00:00 2001 From: Ahmed AbouZaid <6760103+aabouzaid@users.noreply.github.com> Date: Mon, 11 Sep 2023 21:42:48 +0200 Subject: [PATCH] chore: tidy up ci workflows --- .github/workflows/deps-renovate.yaml | 2 +- .github/workflows/go-ci.yml | 2 +- .github/workflows/go-release.yml | 2 +- .github/workflows/sec-codeql.yml | 4 ++++ .github/workflows/sec-scorecard.yml | 10 ++-------- 5 files changed, 9 insertions(+), 11 deletions(-) diff --git a/.github/workflows/deps-renovate.yaml b/.github/workflows/deps-renovate.yaml index d19efb0..581f268 100644 --- a/.github/workflows/deps-renovate.yaml +++ b/.github/workflows/deps-renovate.yaml @@ -16,6 +16,6 @@ jobs: steps: - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4 - name: Validate renovate config - uses: docker://renovate/renovate@sha256:41d720418a752ca2de69effe8b3fa37c05a9eb77ab0976036a3d3fc7e63489e5 + uses: docker://renovate/renovate:slim@sha256:8ab175d0e799f6d0851c3b079994e9ed313bf9892425eb6448aaa47ad44be727 with: args: renovate-config-validator diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index c21e7ae..44e64be 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -43,7 +43,7 @@ jobs: restore-keys: | ${{ runner.os }}-go- - name: Run GoReleaser - uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4 + uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5 with: distribution: goreleaser version: latest diff --git a/.github/workflows/go-release.yml b/.github/workflows/go-release.yml index 01c925e..fe752e0 100644 --- a/.github/workflows/go-release.yml +++ b/.github/workflows/go-release.yml @@ -31,7 +31,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Run GoReleaser - uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4 + uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/sec-codeql.yml b/.github/workflows/sec-codeql.yml index ab32b63..0171fef 100644 --- a/.github/workflows/sec-codeql.yml +++ b/.github/workflows/sec-codeql.yml @@ -23,6 +23,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4 + with: + go-version: '1.21' + cache: false - name: Setup Golang Caches uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3 with: diff --git a/.github/workflows/sec-scorecard.yml b/.github/workflows/sec-scorecard.yml index 183effd..64c38bc 100644 --- a/.github/workflows/sec-scorecard.yml +++ b/.github/workflows/sec-scorecard.yml @@ -1,18 +1,11 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - name: Security - Scorecard on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '38 3 * * 2' push: branches: [ "main" ] + workflow_dispatch: # Declare default permissions as read only. permissions: read-all @@ -55,6 +48,7 @@ jobs: # - `publish_results` will always be set to `false`, regardless # of the value entered here. publish_results: true + repo_token: ${{ secrets.SCORECARD_TOKEN }} # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab.