diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..203f3c889 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: +- package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index dac7475cd..3037f5b4f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -9,8 +9,15 @@ on: schedule: - cron: '0 16 * * 3' +permissions: + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze runs-on: ubuntu-latest @@ -25,7 +32,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. @@ -38,14 +45,14 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -59,4 +66,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/depsreview.yaml b/.github/workflows/depsreview.yaml new file mode 100644 index 000000000..f2605b7a7 --- /dev/null +++ b/.github/workflows/depsreview.yaml @@ -0,0 +1,14 @@ +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v1 diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 234f3eaaf..703fb6153 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -32,13 +32,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -48,7 +48,7 @@ jobs: # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index de27ed1a4..30a2879eb 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -5,6 +5,9 @@ on: branches: - master +permissions: + contents: read + jobs: build: @@ -12,6 +15,6 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag wekan:$(date +%s) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 74f5c74a4..22d4282f3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,12 +5,17 @@ on: branches: - master +permissions: + contents: read + jobs: release: + permissions: + contents: write # for helm/chart-releaser-action to push chart release and create a release runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 diff --git a/.github/workflows/test_suite.yml b/.github/workflows/test_suite.yml index 7f43f19c0..a51ee74a7 100644 --- a/.github/workflows/test_suite.yml +++ b/.github/workflows/test_suite.yml @@ -15,7 +15,7 @@ jobs: # runs-on: ubuntu-latest # steps: # - name: checkout -# uses: actions/checkout@v2 +# uses: actions/checkout@v3 # # - name: setup node # uses: actions/setup-node@v1 @@ -39,7 +39,7 @@ jobs: # needs: [lintcode] # steps: # - name: checkout -# uses: actions/checkout@v2 +# uses: actions/checkout@v3 # # - name: setup node # uses: actions/setup-node@v1 @@ -62,7 +62,7 @@ jobs: # needs: [lintcode,lintstyle] # steps: # - name: checkout -# uses: actions/checkout@v2 +# uses: actions/checkout@v3 # # - name: setup node # uses: actions/setup-node@v1 @@ -87,12 +87,12 @@ jobs: # CHECKOUTS - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 # CACHING - name: Install Meteor id: cache-meteor-install - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.meteor key: v1-meteor-${{ hashFiles('.meteor/versions') }} @@ -101,7 +101,7 @@ jobs: - name: Cache NPM dependencies id: cache-meteor-npm - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ~/.npm key: v1-npm-${{ hashFiles('package-lock.json') }} @@ -110,7 +110,7 @@ jobs: - name: Cache Meteor build id: cache-meteor-build - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: | .meteor/local/resolver-result-cache.json @@ -144,7 +144,7 @@ jobs: needs: [tests] steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Download coverage uses: actions/download-artifact@v2