diff --git a/.github/workflows/assign-to-project.yml b/.github/workflows/assign-to-project.yml index 89e500e..6742c26 100644 --- a/.github/workflows/assign-to-project.yml +++ b/.github/workflows/assign-to-project.yml @@ -8,34 +8,45 @@ on: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +permissions: + contents: read + jobs: assign-to-project: + permissions: + repository-projects: write # for srggrs/assign-one-project-github-action to assign issues and PRs to repo project runs-on: ubuntu-latest name: Assign to Project steps: + + - name: Harden Runner + uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Assign Issues to Bugs - uses: srggrs/assign-one-project-github-action@1.3.1 + uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435 if: contains(github.event.issue.labels.*.name, 'bug') with: project: 'https://github.com/irongut/CodeCoverageSummary/projects/1' column_name: 'Needs triage' - name: Assign Issues to Enhancements - uses: srggrs/assign-one-project-github-action@1.3.1 + uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435 if: contains(github.event.issue.labels.*.name, 'enhancement') with: project: 'https://github.com/irongut/CodeCoverageSummary/projects/2' column_name: 'To do' - name: Assign PRs to Bugs - uses: srggrs/assign-one-project-github-action@1.3.1 + uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435 if: contains(github.event.pull_request.labels.*.name, 'bug') with: project: 'https://github.com/irongut/CodeCoverageSummary/projects/1' column_name: 'In Progress' - name: Assign PRs to Enhancements - uses: srggrs/assign-one-project-github-action@1.3.1 + uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435 if: contains(github.event.pull_request.labels.*.name, 'enhancement') with: project: 'https://github.com/irongut/CodeCoverageSummary/projects/2' diff --git a/.github/workflows/auto-assign-pr.yml b/.github/workflows/auto-assign-pr.yml index cb6e91b..b923fd6 100644 --- a/.github/workflows/auto-assign-pr.yml +++ b/.github/workflows/auto-assign-pr.yml @@ -7,11 +7,22 @@ on: pull_request: types: [opened] +permissions: + contents: read + jobs: assignAuthor: + permissions: + issues: write # for samspills/assign-pr-to-author runs-on: ubuntu-latest steps: + + - name: Harden Runner + uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Auto Assign PR - uses: samspills/assign-pr-to-author@v1.0.1 + uses: samspills/assign-pr-to-author@223a87a821f7e7447cfb5221bc53ceeb633341c2 with: repo-token: '${{ secrets.GITHUB_TOKEN }}' diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index e0e45be..ae256e2 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -6,16 +6,25 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest name: CI Build steps: + + - name: Harden Runner + uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf - name: Setup .Net - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 with: dotnet-version: 6.0.x diff --git a/.github/workflows/mark-stale.yml b/.github/workflows/mark-stale.yml index bdbe3f2..4f2542d 100644 --- a/.github/workflows/mark-stale.yml +++ b/.github/workflows/mark-stale.yml @@ -4,14 +4,25 @@ on: schedule: - cron: "30 1 * * *" +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest - steps: + + - name: Harden Runner + uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Mark Stale - uses: actions/stale@v3 + uses: actions/stale@98ed4cb500039dbcccf4bd9bedada4d0187f2757 with: repo-token: ${{ secrets.GITHUB_TOKEN }} exempt-all-milestones: true diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml index aa1a9f8..1d21c53 100644 --- a/.github/workflows/pr-labeler.yml +++ b/.github/workflows/pr-labeler.yml @@ -7,10 +7,22 @@ name: PR Labeler on: pull_request_target: +permissions: + contents: read + jobs: label: + permissions: + contents: read # for actions/labeler to determine modified files + pull-requests: write # for actions/labeler to add labels to PRs runs-on: ubuntu-latest steps: - - uses: actions/labeler@v3 + + - name: Harden Runner + uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/labeler@472c5d3aaacde439785e94966eb2e545627f4935 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index eb1e12c..dae8b11 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -8,18 +8,27 @@ env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} +permissions: + contents: read + jobs: build: name: Test Build runs-on: ubuntu-latest steps: + + - name: Harden Runner + uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf with: fetch-depth: 0 - name: Setup .Net - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 with: dotnet-version: 6.0.x @@ -40,11 +49,17 @@ jobs: contents: read packages: write steps: + + - name: Harden Runner + uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf - name: Login to GitHub Container Registry - uses: docker/login-action@v1 + uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 with: registry: ${{ env.REGISTRY }} username: ${{ github.repository_owner }} @@ -52,12 +67,12 @@ jobs: - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v3 + uses: docker/metadata-action@b2391d37b4157fa4aa2e118d643f417910ff3242 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build + Push Docker image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a with: context: . push: true