Skip to content

ci: Improve workflow's securiy #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

ci: Improve workflow's securiy #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
9319702
Refine CI permissions: more strictly
masamallow Mar 25, 2025
db177e4
Comment on signing commit for security
masamallow Mar 25, 2025
edd715d
Comment on signing commit for security
masamallow Mar 25, 2025
96913d2
Enable signing commit for cargo release
masamallow Mar 25, 2025
bca78cf
Update checkout steps to disable persist-credential
masamallow Mar 25, 2025
8a9a173
fix ci and comment
masamallow Mar 25, 2025
b44aa67
Add Pinact workflow for managing action versions: avoid actions versi…
masamallow Mar 25, 2025
0c0f0c6
Remove non-existent permission: workflows
masamallow Mar 25, 2025
4d3ae75
Remove empty permissions from workflow
masamallow Mar 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,21 @@ on:
pull_request:
branches: [ main ]

permissions: { }

env:
CARGO_TERM_COLOR: always

jobs:
build-n-test:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Check out code
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Cache dependencies
uses: Swatinem/rust-cache@v2
Expand Down
20 changes: 20 additions & 0 deletions .github/workflows/pinact.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Pinact

on:
pull_request:
branches:
- main

jobs:
pinact:
runs-on: ubuntu-24.04
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Pin actions
uses: suzuki-shunsuke/pinact-action@d735505f3decf76fca3fdbb4c952e5b3eba0ffdd # v0.1.2
13 changes: 8 additions & 5 deletions .github/workflows/release-prepare.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,24 @@ name: Prepare Release
on:
workflow_dispatch:

permissions:
contents: write
pull-requests: write
permissions: { }

env:
CARGO_TERM_COLOR: always

jobs:
crate-release-pull-request:
runs-on: ubuntu-latest

permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
persist-credentials: false

# TODO Consider using `taiki-e/install-action` instead of `baptiste0928/cargo-install`.
# See: https://github.com/taiki-e/install-action
Expand Down Expand Up @@ -67,6 +69,7 @@ jobs:
--no-tag \
--no-confirm \
--execute \
--sign \
--verbose
new_version=$(cargo pkgid | cut -d@ -f2)
echo "Proposed new version=$new_version"
Expand Down
14 changes: 9 additions & 5 deletions .github/workflows/release-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,17 +6,21 @@ name: Publish Release
# tags:
# - 'v*.*.*'

permissions: { }

jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write

contents: read
steps:
- uses: actions/checkout@v4
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Create tag
# TODO fetch version and create tag
# TODO fetch version and create tag
#- name: Create tag

# TODO create release ??

Expand Down
Loading