diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c43b0938..d6d90826 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -22,6 +22,9 @@ on: schedule: - cron: '20 9 * * 5' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -41,16 +44,16 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@3951f0dfe7a07e2313ec93c75700083e2005cbab # v4.3.0 with: dotnet-version: 9.0.x # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -78,4 +81,4 @@ jobs: run: dotnet build --no-restore -c Release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 diff --git a/.github/workflows/codeql-required-workaround.yml b/.github/workflows/codeql-required-workaround.yml index 94b77966..b5eb33e3 100644 --- a/.github/workflows/codeql-required-workaround.yml +++ b/.github/workflows/codeql-required-workaround.yml @@ -10,6 +10,9 @@ on: # https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks +permissions: + contents: read + jobs: analyze: #names must match the original workflow name: Analyze (csharp) diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml index 6b05a9fc..5e1e3992 100644 --- a/.github/workflows/create-release.yml +++ b/.github/workflows/create-release.yml @@ -18,9 +18,9 @@ jobs: env: release: 'dev-proxy-${{ matrix.architecture }}-${{ github.ref_name }}' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@3951f0dfe7a07e2313ec93c75700083e2005cbab # v4.3.0 with: dotnet-version: 9.0.x - name: Rename executable for beta @@ -57,7 +57,7 @@ jobs: Get-ChildItem -Filter *.runtimeconfig.json -Recurse | Remove-Item popd - name: Archive release ${{ env.release }} - uses: thedoctor0/zip-release@master + uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # master with: filename: '../${{ env.release }}.zip' directory: './${{ env.release }}' @@ -65,20 +65,20 @@ jobs: run: | $(Get-FileHash ./${{ env.release }}.zip -Algorithm SHA256).Hash - name: Upload release - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: binaries-${{ env.release }} path: ./${{ env.release }}.zip - name: Archive abstractions if: matrix.architecture == 'win-x64' - uses: thedoctor0/zip-release@master + uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # master with: filename: '../../../../dev-proxy-abstractions-${{ github.ref_name }}.zip' directory: './dev-proxy-abstractions/bin/Release/net9.0' exclusions: '*.json' - name: Upload abstractions if: matrix.architecture == 'win-x64' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: binaries-dev-proxy-abstractions-${{ github.ref_name }} path: ./dev-proxy-abstractions-${{ github.ref_name }}.zip @@ -113,7 +113,7 @@ jobs: working-directory: ./${{ env.release }} - name: Upload Installer if: contains(matrix.architecture, 'win-') - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: installer-dev-proxy-${{ github.ref_name }}-${{ matrix.architecture }} path: ./${{ env.release }}/dev-proxy-installer-${{ matrix.architecture }}-${{ github.ref_name }}.exe @@ -130,12 +130,12 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v4 - - uses: actions/download-artifact@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: path: output - name: Release - uses: anton-yurchenko/git-release@v6.0 + uses: anton-yurchenko/git-release@ec9c5b5c36b27eaffc628785b9183eae54601200 # v6.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DRAFT_RELEASE: "false" diff --git a/.github/workflows/dotnet-required-workaround.yml b/.github/workflows/dotnet-required-workaround.yml index 435c6730..50448aac 100644 --- a/.github/workflows/dotnet-required-workaround.yml +++ b/.github/workflows/dotnet-required-workaround.yml @@ -10,6 +10,9 @@ on: # https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml index 68a44c51..a2f35fb2 100644 --- a/.github/workflows/dotnet.yml +++ b/.github/workflows/dotnet.yml @@ -9,15 +9,18 @@ on: # The branches below must be a subset of the branches above paths-ignore: ['samples/**', '**.md', '.vscode/**', '**.svg'] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@3951f0dfe7a07e2313ec93c75700083e2005cbab # v4.3.0 with: dotnet-version: 9.0.x - name: Restore workloads