ci: upgrade github actions

Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>
2026-01-10 22:53:06 +08:00 · 2024-04-01 09:14:59 +02:00 · 2024-04-01 09:14:59 +02:00 · 43ee4ae897
commit 43ee4ae897
parent 14fb4392b7
10 changed files with 68 additions and 13 deletions
--- a/.github/workflows/__check-action.yml
+++ b/.github/workflows/__check-action.yml
@ -3,6 +3,9 @@ name: Internal - Tests for action
 on:
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
  test-action-with-services:
    runs-on: ubuntu-latest
--- a/.github/workflows/__check-dist.yml
+++ b/.github/workflows/__check-dist.yml
@ -3,6 +3,9 @@ name: Internal - Checks for dist
 on:
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
  check-dist:
    name: Check dist
--- a/.github/workflows/__check-nodejs.yml
+++ b/.github/workflows/__check-nodejs.yml
@ -3,6 +3,11 @@ name: Internal - Checks for nodejs
 on:
  workflow_call:

+permissions:
+  contents: read
+  security-events: write
+  id-token: write
+
 jobs:
  test-nodejs:
    uses: hoverkraft-tech/ci-github-nodejs/.github/workflows/continuous-integration.yml@0.4.2
--- a/.github/workflows/__shared-ci.yml
+++ b/.github/workflows/__shared-ci.yml
@ -3,9 +3,16 @@ name: Common Continuous Integration tasks
 on:
  workflow_call:

+permissions:
+  contents: read
+  packages: read
+  statuses: write
+  security-events: write
+  id-token: write
+
 jobs:
  linter:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@feat/linter-extra-env-input
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@0.13.0
    with:
      linter-env: |
        FILTER_REGEX_EXCLUDE=dist/**/*
--- a/.github/workflows/greetings.yml
+++ b/.github/workflows/greetings.yml
@ -0,0 +1,14 @@
+name: Greetings
+
+on:
+  issues:
+    types: [opened]
+  pull_request_target:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  greetings:
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/greetings.yml@0.13.0
--- a/.github/workflows/main-ci.yml
+++ b/.github/workflows/main-ci.yml
@ -3,7 +3,14 @@ name: Internal - Main - Continuous Integration
 on:
  push:
    branches: [main]
-    tags: ['*']
+    tags: ["*"]
+
+permissions:
+  contents: read
+  packages: read
+  statuses: write
+  security-events: write
+  id-token: write

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@ -30,11 +37,11 @@ jobs:
          app-id: ${{ vars.CI_BOT_APP_ID }}
          private-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}

-      - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@main
+      - uses: hoverkraft-tech/ci-github-common/actions/create-and-merge-pull-request@0.13.0
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
          branch: docs/actions-workflows-documentation-update
-          title: 'docs: update actions and workflows documentation'
+          title: "docs: update actions and workflows documentation"
          body: Update actions and workflows documentation
          commit-message: |
            docs: update actions and workflows documentation
--- a/.github/workflows/need-fix-to-issue.yml
+++ b/.github/workflows/need-fix-to-issue.yml
@ -6,18 +6,21 @@ on:
      - main
  workflow_dispatch:
    inputs:
+      #checkov:skip=CKV_GHA_7: required
      manual-commit-ref:
-        description: 'The SHA of the commit to get the diff for'
+        description: "The SHA of the commit to get the diff for"
        required: true
      manual-base-ref:
-        description:
-          'By default, the commit entered above is compared to the one directly
-          before it; to go back further, enter an earlier SHA here'
+        description: "By default, the commit entered above is compared to the one directly
+          before it; to go back further, enter an earlier SHA here"
        required: false

+permissions:
+  contents: read
+
 jobs:
  main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@0.12.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/need-fix-to-issue.yml@0.13.0
    with:
      manual-commit-ref: ${{ inputs.manual-commit-ref }}
      manual-base-ref: ${{ inputs.manual-base-ref }}
--- a/.github/workflows/pull-request-ci.yml
+++ b/.github/workflows/pull-request-ci.yml
@ -5,6 +5,13 @@ on:
  pull_request:
    branches: [main]

+permissions:
+  contents: read
+  packages: read
+  statuses: write
+  security-events: write
+  id-token: write
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/semantic-pull-request.yml
+++ b/.github/workflows/semantic-pull-request.yml
@ -1,4 +1,4 @@
-name: 'Pull Request - Semantic Lint'
+name: "Pull Request - Semantic Lint"

 on:
  pull_request_target:
@ -7,6 +7,9 @@ on:
      - edited
      - synchronize

+permissions:
+  contents: read
+
 jobs:
  main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@0.12.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/semantic-pull-request.yml@0.13.0
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -2,8 +2,11 @@ name: Mark stale issues and pull requests

 on:
  schedule:
-    - cron: '30 1 * * *'
+    - cron: "30 1 * * *"
+
+permissions:
+  contents: read

 jobs:
  main:
-    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@0.12.1
+    uses: hoverkraft-tech/ci-github-common/.github/workflows/stale.yml@0.13.0