commit ff1ac1bc5e67d445279e4abded3f37b91b51a36c
parent ca474b6c9a96a4fcf91bbb517fad4b792dddea25
Author: Vincent Demeester <vincent@sbr.pm>
Date: Tue, 2 Jan 2024 09:57:36 +0100
Hardened github workflows by pinning dependencies…
… and setting some things as readonly.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
2 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/.github/workflows/build-systems.yaml b/.github/workflows/build-systems.yaml
@@ -1,5 +1,8 @@
name: Nix Flake actions
+permissions:
+ contents: read
+
on:
workflow_dispatch: {}
pull_request:
@@ -16,8 +19,8 @@ jobs:
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- - uses: actions/checkout@v4
- - uses: cachix/install-nix-action@v24
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
- id: set-matrix
name: Generate Nix Matrix
run: |
@@ -34,7 +37,7 @@ jobs:
matrix: ${{fromJSON(needs.nix-matrix.outputs.matrix)}}
steps:
- name: Maximize build space
- uses: AdityaGarg8/remove-unwanted-software@v1
+ uses: AdityaGarg8/remove-unwanted-software@6241eb8f15184023d3a01e295ab2bc0e67ecc06d # v1
with:
remove-android: 'true'
remove-dotnet: 'true'
@@ -42,9 +45,9 @@ jobs:
run: |
echo "Free space:"
df -h
- - uses: actions/checkout@v4
- - uses: cachix/install-nix-action@v24
- - uses: cachix/cachix-action@v13
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ - uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+ - uses: cachix/cachix-action@6a2e08b5ebf7a9f285ff57b1870a4262b06e0bee # v13
with:
name: vdemeester
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
diff --git a/.github/workflows/nix-auto-upgrade.yaml b/.github/workflows/nix-auto-upgrade.yaml
@@ -9,14 +9,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
- uses: actions/checkout@v4
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install Nix
- uses: cachix/install-nix-action@v24
+ uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
with:
extra_nix_config: |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- name: Update flake.lock
- uses: DeterminateSystems/update-flake-lock@v20
+ uses: DeterminateSystems/update-flake-lock@da2fd6f2563fe3e4f2af8be73b864088564e263d # v20
with:
pr-title: "Update flake.lock" # Title of PR to be created
pr-labels: | # Labels to be set on the PR