Security improvements (#6890)

* Set write permissions at job level * publish scorecard results * Update scorecard.yml * Update scorecard.yml * Create .sonarcloud.properties * Delete .deepsource.toml * replace badge * pin requests, pyyaml, jc * pin yarn version * pin uv * reduce settings * set test path
2025-06-15 11:35:41 +00:00 · 2024-04-02 07:35:01 +01:00
parent 364a9d4fc1
commit 4db61df8cd
10 changed files with 27 additions and 47 deletions
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@ -76,8 +76,8 @@ jobs:
          python-version: ${{ env.python_version }}
      - name: Version Check
        run: |
-          pip install requests
-          pip install pyyaml
+          pip install requests==2.31.0
+          pip install pyyaml==6.0.1
          python3 ci/version_check.py
          echo "git_commit_hash=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
          echo "git_commit_date=$(git show -s --format=%ci)" >> $GITHUB_ENV
--- a/.github/workflows/qc_checks.yaml
+++ b/.github/workflows/qc_checks.yaml
@ -92,7 +92,7 @@ jobs:
        uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # pin@v3.0.1
      - name: Check Version
        run: |
-          pip install requests
+          pip install requests==2.31.0
          python3 ci/version_check.py

  mkdocs:
@ -110,7 +110,7 @@ jobs:
          python-version: ${{ env.python_version }}
      - name: Check Config
        run: |
-          pip install pyyaml
+          pip install pyyaml==6.0.1
          pip install -r docs/requirements.txt
          python docs/ci/check_mkdocs_config.py
      - name: Check Links
@ -156,7 +156,7 @@ jobs:
      - name: Download public schema
        if: needs.paths-filter.outputs.api == 'false'
        run: |
-          pip install requests >/dev/null 2>&1
+          pip install requests==2.31.0 >/dev/null 2>&1
          version="$(python3 ci/version_check.py only_version 2>&1)"
          echo "Version: $version"
          url="https://raw.githubusercontent.com/inventree/schema/main/export/${version}/api.yaml"
@ -175,7 +175,7 @@ jobs:
        id: version
        if: github.ref == 'refs/heads/master' && needs.paths-filter.outputs.api == 'true'
        run: |
-          pip install requests >/dev/null 2>&1
+          pip install requests==2.31.0 >/dev/null 2>&1
          version="$(python3 ci/version_check.py only_version 2>&1)"
          echo "Version: $version"
          echo "version=$version" >> "$GITHUB_OUTPUT"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -19,7 +19,7 @@ jobs:
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4.1.1
      - name: Version Check
        run: |
-          pip install requests
+          pip install requests==2.31.0
          python3 ci/version_check.py
      - name: Push to Stable Branch
        uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # pin@v0.8.0
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -54,7 +54,7 @@ jobs:
          # For private repositories:
          #   - `publish_results` will always be set to `false`, regardless
          #     of the value entered here.
-          publish_results: false
+          publish_results: true

      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
--- a/.github/workflows/translations.yml
+++ b/.github/workflows/translations.yml
@ -10,12 +10,14 @@ env:
  node_version: 18

 permissions:
-  contents: write
+  contents: read

 jobs:
  build:

    runs-on: ubuntu-latest
+    permissions:
+      contents: write

    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}