Skip to content

Commit 70d6921

Browse files
NellIncNellInc
committed
security: harden CI — pin actions to SHAs, pin deps, restrict permissions
1 parent 617b311 commit 70d6921

1 file changed

Lines changed: 14 additions & 10 deletions

File tree

.github/workflows/ci.yml

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ on:
77
pull_request:
88
branches: [main]
99

10+
# Restrict default permissions to read-only (principle of least privilege)
11+
permissions:
12+
contents: read
13+
1014
jobs:
1115
test:
1216
runs-on: ubuntu-latest
@@ -15,10 +19,10 @@ jobs:
1519
python-version: ["3.10", "3.11", "3.12"]
1620

1721
steps:
18-
- uses: actions/checkout@v4
22+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
1923

2024
- name: Set up Python ${{ matrix.python-version }}
21-
uses: actions/setup-python@v5
25+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
2226
with:
2327
python-version: ${{ matrix.python-version }}
2428

@@ -38,25 +42,25 @@ jobs:
3842

3943
- name: Upload coverage
4044
if: matrix.python-version == '3.11'
41-
uses: codecov/codecov-action@v4
45+
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
4246
with:
4347
file: ./coverage.xml
4448
fail_ci_if_error: false
4549

4650
lint:
4751
runs-on: ubuntu-latest
4852
steps:
49-
- uses: actions/checkout@v4
53+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
5054

5155
- name: Set up Python
52-
uses: actions/setup-python@v5
56+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
5357
with:
5458
python-version: "3.11"
5559

5660
- name: Install dependencies
5761
run: |
5862
python -m pip install --upgrade pip
59-
pip install black ruff
63+
pip install black==26.3.1 ruff==0.15.9
6064
6165
- name: Check formatting with black
6266
run: black --check creed_guardian
@@ -73,22 +77,22 @@ jobs:
7377
id-token: write
7478

7579
steps:
76-
- uses: actions/checkout@v4
80+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
7781

7882
- name: Set up Python
79-
uses: actions/setup-python@v5
83+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
8084
with:
8185
python-version: "3.11"
8286

8387
- name: Install build dependencies
8488
run: |
8589
python -m pip install --upgrade pip
86-
pip install build twine
90+
pip install build==1.4.2 twine==6.2.0
8791
8892
- name: Build package
8993
run: python -m build
9094

9195
- name: Publish to PyPI
92-
uses: pypa/gh-action-pypi-publish@release/v1
96+
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
9397
with:
9498
password: ${{ secrets.PYPI_API_TOKEN }}

0 commit comments

Comments
 (0)