Harden GitHub Actions (#544)

* Harden GitHub Actions

* Update release.yml

---------

Co-authored-by: Ajeet D'Souza <98ajeet@gmail.com>
This commit is contained in:
StepSecurity Bot 2023-03-18 06:52:41 -07:00 committed by Ajeet D'Souza
parent 8f1cb75732
commit fa1cfb490d
3 changed files with 21 additions and 17 deletions

View File

@ -8,6 +8,9 @@ env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
CARGO_INCREMENTAL: 0 CARGO_INCREMENTAL: 0
CARGO_TERM_COLOR: always CARGO_TERM_COLOR: always
permissions:
contents: read
jobs: jobs:
ci: ci:
name: ${{ matrix.os }} name: ${{ matrix.os }}
@ -16,29 +19,29 @@ jobs:
matrix: matrix:
os: [ubuntu-latest, windows-latest] os: [ubuntu-latest, windows-latest]
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: actions-rs/toolchain@v1 - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
if: ${{ matrix.os == 'windows-latest' }} if: ${{ matrix.os == 'windows-latest' }}
with: with:
toolchain: stable toolchain: stable
components: rustfmt, clippy components: rustfmt, clippy
profile: minimal profile: minimal
override: true override: true
- uses: cachix/install-nix-action@v16 - uses: cachix/install-nix-action@d56f3ce9be45c562799280e8a561fbbe8f36de44 # v16
if: ${{ matrix.os != 'windows-latest' }} if: ${{ matrix.os != 'windows-latest' }}
with: with:
nix_path: nixpkgs=channel:nixos-unstable nix_path: nixpkgs=channel:nixos-unstable
- uses: cachix/cachix-action@v10 - uses: cachix/cachix-action@73e75d1a0cd4330597a571e8f9dedb41faa2fc4e # v10
if: ${{ matrix.os != 'windows-latest' && env.CACHIX_AUTH_TOKEN != '' }} if: ${{ matrix.os != 'windows-latest' && env.CACHIX_AUTH_TOKEN != '' }}
with: with:
authToken: ${{ env.CACHIX_AUTH_TOKEN }} authToken: ${{ env.CACHIX_AUTH_TOKEN }}
name: zoxide name: zoxide
- name: Setup cache - name: Setup cache
uses: Swatinem/rust-cache@v1 uses: Swatinem/rust-cache@81d053bdb0871dcd3f10763c8cc60d0adc41762b # v1
with: with:
key: ${{ matrix.target }} key: ${{ matrix.target }}

View File

@ -11,7 +11,7 @@ jobs:
if: github.repository == 'ajeetdsouza/zoxide' if: github.repository == 'ajeetdsouza/zoxide'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: lee-dohm/no-response@v0.5.0 - uses: lee-dohm/no-response@9bb0a4b5e6a45046f00353d5de7d90fb8bd773bb # v0.5.0
with: with:
token: ${{ github.token }} token: ${{ github.token }}
daysUntilClose: 30 daysUntilClose: 30

View File

@ -6,11 +6,12 @@ on:
workflow_dispatch: workflow_dispatch:
env: env:
CARGO_INCREMENTAL: 0 CARGO_INCREMENTAL: 0
permissions:
contents: write
jobs: jobs:
release: release:
name: ${{ matrix.target }} name: ${{ matrix.target }}
permissions:
contents: write
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
strategy: strategy:
fail-fast: false fail-fast: false
@ -38,19 +39,19 @@ jobs:
target: aarch64-pc-windows-msvc target: aarch64-pc-windows-msvc
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v2 uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Get version - name: Get version
id: get_version id: get_version
uses: SebRollen/toml-action@v1.0.2 uses: SebRollen/toml-action@2bd04b06a3ebc3e6a3eb6060de115710cad16cd6 # v1.0.2
with: with:
file: Cargo.toml file: Cargo.toml
field: package.version field: package.version
- name: Install Rust - name: Install Rust
uses: actions-rs/toolchain@v1 uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
with: with:
toolchain: stable toolchain: stable
profile: minimal profile: minimal
@ -58,12 +59,12 @@ jobs:
target: ${{ matrix.target }} target: ${{ matrix.target }}
- name: Setup cache - name: Setup cache
uses: Swatinem/rust-cache@v1 uses: Swatinem/rust-cache@81d053bdb0871dcd3f10763c8cc60d0adc41762b # v1
with: with:
key: ${{ matrix.target }} key: ${{ matrix.target }}
- name: Build binary - name: Build binary
uses: actions-rs/cargo@v1 uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
with: with:
command: build command: build
args: --release --locked --target=${{ matrix.target }} --color=always --verbose args: --release --locked --target=${{ matrix.target }} --color=always --verbose
@ -71,13 +72,13 @@ jobs:
- name: Install cargo-deb - name: Install cargo-deb
if: ${{ matrix.deb == true }} if: ${{ matrix.deb == true }}
uses: actions-rs/install@v0.1 uses: actions-rs/install@9da1d2adcfe5e7c16992e8242ca33a56b6d9b101 # v0.1.2
with: with:
crate: cargo-deb crate: cargo-deb
- name: Build deb - name: Build deb
if: ${{ matrix.deb == true }} if: ${{ matrix.deb == true }}
uses: actions-rs/cargo@v1 uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
with: with:
command: deb command: deb
args: --no-build --no-strip --output=. --target=${{ matrix.target }} args: --no-build --no-strip --output=. --target=${{ matrix.target }}
@ -102,7 +103,7 @@ jobs:
./target/${{ matrix.target }}/release/zoxide.exe ./target/${{ matrix.target }}/release/zoxide.exe
- name: Upload artifact - name: Upload artifact
uses: actions/upload-artifact@v2 uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
with: with:
name: ${{ matrix.target }} name: ${{ matrix.target }}
path: | path: |
@ -112,7 +113,7 @@ jobs:
- name: Create release - name: Create release
if: ${{ github.ref == 'refs/heads/main' && startsWith(github.event.head_commit.message, 'chore(release)') }} if: ${{ github.ref == 'refs/heads/main' && startsWith(github.event.head_commit.message, 'chore(release)') }}
uses: softprops/action-gh-release@v1 uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
with: with:
draft: true draft: true
files: | files: |