From 44a48414accc5a921d2f7d16932e52bd8c0b523e Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 26 May 2026 13:41:59 +0200 Subject: [PATCH 1/3] ci: specify token permissions and pin versions --- .github/workflows/tag-release.yaml | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/.github/workflows/tag-release.yaml b/.github/workflows/tag-release.yaml index 1fa6723..0efdca2 100644 --- a/.github/workflows/tag-release.yaml +++ b/.github/workflows/tag-release.yaml @@ -5,12 +5,15 @@ on: tags: - '*' +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c with: go-version: '1.25' - run: go get -t -v ./... @@ -19,10 +22,12 @@ jobs: release: runs-on: ubuntu-latest needs: test + permissions: + contents: write steps: - name: Create GitHub Release id: create - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -35,9 +40,11 @@ jobs: upload: needs: release runs-on: ubuntu-latest + permissions: + contents: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c with: go-version: '1.25' @@ -71,7 +78,7 @@ jobs: - name: Upload Binaries id: upload-release-asset - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: From 1a0f7b8cd6b120498ef7e1ca1dbb081d1c47c71f Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 26 May 2026 13:43:22 +0200 Subject: [PATCH 2/3] ci: pin versions for test pull request workflow --- .github/workflows/pull-request-test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull-request-test.yaml b/.github/workflows/pull-request-test.yaml index 8f2dc9f..98ff3f7 100644 --- a/.github/workflows/pull-request-test.yaml +++ b/.github/workflows/pull-request-test.yaml @@ -7,8 +7,8 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c with: go-version: '1.25' - run: go get -t -v ./... From 2df345e25a2d84a9acdf1461d836efd6b9338972 Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 26 May 2026 13:45:38 +0200 Subject: [PATCH 3/3] ci: update permissions for test workflow --- .github/workflows/pull-request-test.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pull-request-test.yaml b/.github/workflows/pull-request-test.yaml index 98ff3f7..d1c9816 100644 --- a/.github/workflows/pull-request-test.yaml +++ b/.github/workflows/pull-request-test.yaml @@ -3,6 +3,9 @@ name: "Test Pull Request" on: pull_request: +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest