From 7c6eefbcdf533c613b0ad0fcdf2e1988bbe4214b Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Sun, 24 Mar 2024 23:11:16 +0100 Subject: [PATCH] CI-Actions: Security fixes (#6835) * add security commitment * fix badge path * set token permissions see https://github.com/inventree/InvenTree/security/code-scanning/48 * add more chapters * break up flow text * spellchecking * clean diff * bump setup-python to node 20 version * fix docker version too --- .github/actions/setup/action.yaml | 2 +- .github/workflows/backport.yml | 3 +++ .github/workflows/check_translations.yaml | 3 +++ .github/workflows/docker.yaml | 2 +- .github/workflows/qc_checks.yaml | 6 ++++-- .github/workflows/release.yml | 3 +++ .github/workflows/translations.yml | 3 +++ 7 files changed, 18 insertions(+), 4 deletions(-) diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index d43fa57e71..c9f0fcfd89 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -40,7 +40,7 @@ runs: # Python installs - name: Set up Python ${{ env.python_version }} if: ${{ inputs.python == 'true' }} - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # pin@v4.7.1 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # pin@v5.0.0 with: python-version: ${{ env.python_version }} cache: pip diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 1aadcf8c4f..d885b0dde6 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -9,6 +9,9 @@ on: pull_request_target: types: [ "labeled", "closed" ] +permissions: + contents: read + jobs: backport: name: Backport PR diff --git a/.github/workflows/check_translations.yaml b/.github/workflows/check_translations.yaml index 315922717a..7e97eba8fa 100644 --- a/.github/workflows/check_translations.yaml +++ b/.github/workflows/check_translations.yaml @@ -11,6 +11,9 @@ on: env: python_version: 3.9 +permissions: + contents: read + jobs: check: diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 0cbb5344ff..c4507c06de 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -71,7 +71,7 @@ jobs: - name: Check out repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4.1.1 - name: Set Up Python ${{ env.python_version }} - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # pin@v4.7.1 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # pin@v5.0.0 with: python-version: ${{ env.python_version }} - name: Version Check diff --git a/.github/workflows/qc_checks.yaml b/.github/workflows/qc_checks.yaml index dc524bac38..1ba4787e0e 100644 --- a/.github/workflows/qc_checks.yaml +++ b/.github/workflows/qc_checks.yaml @@ -22,6 +22,8 @@ env: INVENTREE_BACKUP_DIR: ../test_inventree_backup INVENTREE_SITE_URL: http://localhost:8000 +permissions: + contents: read jobs: paths-filter: name: Filter @@ -82,7 +84,7 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4.1.1 - name: Set up Python ${{ env.python_version }} - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # pin@v4.7.1 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # pin@v5.0.0 with: python-version: ${{ env.python_version }} cache: 'pip' @@ -103,7 +105,7 @@ jobs: - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4.1.1 - name: Set up Python ${{ env.python_version }} - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # pin@v4.7.1 + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # pin@v5.0.0 with: python-version: ${{ env.python_version }} - name: Check Config diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 81ed0a0c75..ca751d0aac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,9 @@ on: release: types: [ published ] +permissions: + contents: read + jobs: stable: diff --git a/.github/workflows/translations.yml b/.github/workflows/translations.yml index 3ab9293f4f..c44bda9b8b 100644 --- a/.github/workflows/translations.yml +++ b/.github/workflows/translations.yml @@ -9,6 +9,9 @@ env: python_version: 3.9 node_version: 18 +permissions: + contents: read + jobs: build: