Andreas/watchtower
1
0
Fork 0
mirror of https://github.com/containrrr/watchtower.git synced 2025-12-16 23:20:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

[StepSecurity] ci: Harden GitHub Actions

Browse source 
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
This commit is contained in:
StepSecurity Bot 2022-10-13 23:39:20 +00:00
parent fc401dae75
commit a823fdcc04
6 changed files with 34 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.github/workflows/codeql-analysis.yml vendored
View file

@ -31,7 +31,7 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v3 uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with: with:
# We must fetch at least the immediate parents so that if this is # We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head. # a pull request then we can checkout the head.
@ -44,7 +44,7 @@ jobs:
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v2 uses: github/codeql-action/init@807578363a7869ca324a79039e6db9c843e0e100
with: with:
languages: ${{ matrix.language }} languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file. # If you wish to specify custom queries, you can do so here or in a config file.
@ -55,7 +55,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below) # If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild - name: Autobuild
uses: github/codeql-action/autobuild@v2 uses: github/codeql-action/autobuild@807578363a7869ca324a79039e6db9c843e0e100
# Command-line programs to run using the OS shell. # Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl # 📚 https://git.io/JvXDl
@ -69,4 +69,4 @@ jobs:
# make release # make release
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2 uses: github/codeql-action/analyze@807578363a7869ca324a79039e6db9c843e0e100

2
.github/workflows/greetings.yml vendored
View file

@ -10,7 +10,7 @@ jobs:
greeting: greeting:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/first-interaction@v1 - uses: actions/first-interaction@1d8459ca65b335265f1285568221e229d45a995e
with: with:
repo-token: ${{ secrets.GITHUB_TOKEN }} repo-token: ${{ secrets.GITHUB_TOKEN }}
issue-message: > issue-message: >

4
.github/workflows/publish-docs.yml vendored
View file

@ -14,11 +14,11 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Setup python - name: Setup python
uses: actions/setup-python@v4 uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984
with: with:
python-version: '3.10' python-version: '3.10'
cache: 'pip' cache: 'pip'

18
.github/workflows/pull-request.yml vendored
View file

@ -12,14 +12,14 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v3 uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
with: with:
go-version: 1.18.x go-version: 1.18.x
- uses: dominikh/staticcheck-action@v1.2.0 - uses: dominikh/staticcheck-action@a3513ade2e5cb8075ba1c1ed1890a989cf0f2aa0
with: with:
version: "2022.1.1" version: "2022.1.1"
test: test:
@ -36,18 +36,18 @@ jobs:
runs-on: ${{ matrix.platform }} runs-on: ${{ matrix.platform }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v3 uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
with: with:
go-version: 1.18.x go-version: 1.18.x
- name: Run tests - name: Run tests
run: | run: |
go test -v -coverprofile coverage.out -covermode atomic ./... go test -v -coverprofile coverage.out -covermode atomic ./...
- name: Publish coverage - name: Publish coverage
uses: codecov/codecov-action@v3 uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
with: with:
token: ${{ secrets.CODECOV_TOKEN }} token: ${{ secrets.CODECOV_TOKEN }}
build: build:
@ -55,15 +55,15 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v3 uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
with: with:
go-version: 1.18.x go-version: 1.18.x
- name: Build - name: Build
uses: goreleaser/goreleaser-action@v3 uses: goreleaser/goreleaser-action@ff11ca24a9b39f2d36796d1fbd7a4e39c182630a
with: with:
version: v0.155.0 version: v0.155.0
args: --snapshot --skip-publish --debug args: --snapshot --skip-publish --debug

16
.github/workflows/release-dev.yaml vendored
View file

@ -10,9 +10,9 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v3 uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
with: with:
go-version: 1.18 go-version: 1.18
- name: Build - name: Build
@ -20,15 +20,15 @@ jobs:
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v3 uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
with: with:
go-version: 1.18 go-version: 1.18
- name: Test - name: Test
run: go test -v -coverprofile coverage.out -covermode atomic ./... run: go test -v -coverprofile coverage.out -covermode atomic ./...
- name: Publish coverage - name: Publish coverage
uses: codecov/codecov-action@v3 uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
with: with:
token: ${{ secrets.CODECOV_TOKEN }} token: ${{ secrets.CODECOV_TOKEN }}
publish: publish:
@ -37,9 +37,9 @@ jobs:
- test - test
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- name: Publish to Docker Hub - name: Publish to Docker Hub
uses: jerray/publish-docker-action@master uses: jerray/publish-docker-action@87d84711629b0dc9f6bb127b568413cc92a2088e
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }} password: ${{ secrets.DOCKERHUB_PASSWORD }}
@ -47,7 +47,7 @@ jobs:
repository: containrrr/watchtower repository: containrrr/watchtower
tags: latest-dev tags: latest-dev
- name: Publish to GHCR - name: Publish to GHCR
uses: jerray/publish-docker-action@master uses: jerray/publish-docker-action@87d84711629b0dc9f6bb127b568413cc92a2088e
with: with:
username: ${{ secrets.BOT_USERNAME }} username: ${{ secrets.BOT_USERNAME }}
password: ${{ secrets.BOT_GHCR_PAT }} password: ${{ secrets.BOT_GHCR_PAT }}

20
.github/workflows/release.yml vendored
View file

@ -15,11 +15,11 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v3 uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
with: with:
go-version: 1.18.x go-version: 1.18.x
- name: Install linter - name: Install linter
@ -42,11 +42,11 @@ jobs:
runs-on: ${{ matrix.platform }} runs-on: ${{ matrix.platform }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v3 uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
with: with:
go-version: 1.18.x go-version: 1.18.x
- name: Run tests - name: Run tests
@ -64,26 +64,26 @@ jobs:
TAG: ${{ github.event.release.tag_name }} TAG: ${{ github.event.release.tag_name }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v3 uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
with: with:
go-version: 1.18.x go-version: 1.18.x
- name: Login to Docker Hub - name: Login to Docker Hub
uses: docker/login-action@v2 uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GHCR - name: Login to GHCR
uses: docker/login-action@v2 uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
with: with:
username: ${{ secrets.BOT_USERNAME }} username: ${{ secrets.BOT_USERNAME }}
password: ${{ secrets.BOT_GHCR_PAT }} password: ${{ secrets.BOT_GHCR_PAT }}
registry: ghcr.io registry: ghcr.io
- name: Build - name: Build
uses: goreleaser/goreleaser-action@v3 uses: goreleaser/goreleaser-action@ff11ca24a9b39f2d36796d1fbd7a4e39c182630a
with: with:
version: v0.155.0 version: v0.155.0
args: --debug args: --debug
@ -193,7 +193,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Pull new module version - name: Pull new module version
uses: andrewslotin/go-proxy-pull-action@master uses: andrewslotin/go-proxy-pull-action@bfc19ec6536e1638181b2ad6a03e16c7ccfb122f