ci: pin GitHub action deps, delete automerge dependabot, limit permis…

…sions on GITHUB_TOKEN (#167)
Kong · Jan 22, 2025 · 1cb04ae · 1cb04ae
1 parent 866d1bc
commit 1cb04ae
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 41 deletions.
diff --git a/.github/workflows/automerge-dependabot.yml b/.github/workflows/automerge-dependabot.yml
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -26,13 +26,13 @@ jobs:
       status: ${{ steps.up-to-date.outputs.status }}
     steps:
       - name: checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
       - name: Check if PR is up to date, if it is skip workflows for this ref
         id: 'up-to-date'
         if: github.event_name == 'push' && startsWith(github.ref, 'refs/heads/')
-        uses: Kong/public-shared-actions/pr-previews/[email protected]
+        uses: Kong/public-shared-actions/pr-previews/up-to-date@c03e30a36e8a2dde5cbd463229a96aaad7ccad24 # v1.13.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -60,8 +60,8 @@ jobs:
     - up-to-date
     if: needs.up-to-date.outputs.status != 'true'
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
       - run: make update-codegen verify-codegen
 
   enterprise-integration-tests:

diff --git a/.github/workflows/integration-enterprise.yaml b/.github/workflows/integration-enterprise.yaml
@@ -7,6 +7,9 @@ concurrency:
   group: integration-enterprise-${{ github.workflow }}-${{ github.head_ref || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
 
@@ -29,8 +32,8 @@ jobs:
 
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
       - name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:

diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
@@ -7,6 +7,9 @@ concurrency:
   group: integration-${{ github.workflow }}-${{ github.head_ref || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
 
@@ -28,8 +31,8 @@ jobs:
       KONG_IMAGE: ${{ matrix.kong_image }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
       - name: Setup Kong
         run: make setup-kong
       - name: Run integration tests

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -18,8 +21,8 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
       - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
       - name: Run tests with Coverage
         run: make coverage