home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

commit ff1ac1bc5e67d445279e4abded3f37b91b51a36c
parent ca474b6c9a96a4fcf91bbb517fad4b792dddea25
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Tue,  2 Jan 2024 09:57:36 +0100

Hardened github workflows by pinning dependencies…

… and setting some things as readonly.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
M.github/workflows/build-systems.yaml | 15+++++++++------
M.github/workflows/nix-auto-upgrade.yaml | 6+++---
2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build-systems.yaml b/.github/workflows/build-systems.yaml @@ -1,5 +1,8 @@ name: Nix Flake actions +permissions: + contents: read + on: workflow_dispatch: {} pull_request: @@ -16,8 +19,8 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v24 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24 - id: set-matrix name: Generate Nix Matrix run: | @@ -34,7 +37,7 @@ jobs: matrix: ${{fromJSON(needs.nix-matrix.outputs.matrix)}} steps: - name: Maximize build space - uses: AdityaGarg8/remove-unwanted-software@v1 + uses: AdityaGarg8/remove-unwanted-software@6241eb8f15184023d3a01e295ab2bc0e67ecc06d # v1 with: remove-android: 'true' remove-dotnet: 'true' @@ -42,9 +45,9 @@ jobs: run: | echo "Free space:" df -h - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v24 - - uses: cachix/cachix-action@v13 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24 + - uses: cachix/cachix-action@6a2e08b5ebf7a9f285ff57b1870a4262b06e0bee # v13 with: name: vdemeester authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' diff --git a/.github/workflows/nix-auto-upgrade.yaml b/.github/workflows/nix-auto-upgrade.yaml @@ -9,14 +9,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Nix - uses: cachix/install-nix-action@v24 + uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24 with: extra_nix_config: | access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - name: Update flake.lock - uses: DeterminateSystems/update-flake-lock@v20 + uses: DeterminateSystems/update-flake-lock@da2fd6f2563fe3e4f2af8be73b864088564e263d # v20 with: pr-title: "Update flake.lock" # Title of PR to be created pr-labels: | # Labels to be set on the PR