chore: update dependencies, improve ci security

Signed-off-by: Henry Gressmann <mail@henrygressmann.de>
explodingcamera · Dec 9, 2024 · c0e9bee · c0e9bee
1 parent b1dd41b
commit c0e9bee
Show file tree

Hide file tree

Showing 7 changed files with 80 additions and 69 deletions.
diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml
@@ -1,9 +1,5 @@
 name: "Build & Publish Container Image"
 
-permissions:
-  contents: read
-  packages: write
-
 on:
   workflow_call:
     inputs:
@@ -19,17 +15,24 @@ on:
 
 jobs:
   docker-build:
+    permissions:
+      contents: read
+      packages: write
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ inputs.tag }}
+          persist-credentials: false
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Extract Semver
         id: semver
+        env:
+          INPUT_TAG: "${{ inputs.tag }}"
         run: |
-          SEMVER_VERSION=$(echo "${{ inputs.tag }}" | sed -E 's/liwan-v//')
+          SEMVER_VERSION=$(echo "$INPUT_TAG" | sed -E 's/liwan-v//')
           echo "SEMVER_VERSION=${SEMVER_VERSION}" >> "$GITHUB_OUTPUT"
       - name: Setup Docker Metadata
         uses: docker/metadata-action@v5

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,9 +1,5 @@
 name: Release
 
-permissions:
-  contents: write
-  packages: write
-
 on:
   push:
     tags:
@@ -14,7 +10,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: taiki-e/create-gh-release-action@v1
+        with:
+          persist-credentials: false
+      - uses: taiki-e/create-gh-release-action@v1.8.2
         with:
           changelog: CHANGELOG.md
           allow-missing-changelog: true
@@ -26,6 +24,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: oven-sh/setup-bun@v2
         with:
           bun-version: latest
@@ -41,6 +41,8 @@ jobs:
           path: ./web/dist
 
   upload-assets:
+    permissions:
+      contents: write
     needs: [create-release, build-web]
     strategy:
       matrix:
@@ -58,18 +60,22 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/download-artifact@v4
         with:
           name: web-dist
           path: ./web/dist
-      - uses: taiki-e/upload-rust-binary-action@v1
+      - uses: taiki-e/upload-rust-binary-action@v1.23.0
         with:
           bin: liwan
           target: ${{ matrix.target }}
           build-tool: ${{ matrix.build-tool }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
   publish-container:
+    permissions:
+      packages: write
     needs: [create-release, upload-assets]
     uses: explodingcamera/liwan/.github/workflows/container.yaml@main
     with:

diff --git a/.github/workflows/test-web.yaml b/.github/workflows/test-web.yaml
@@ -18,6 +18,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: oven-sh/setup-bun@v2
         with:
           bun-version: latest

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -22,6 +22,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions-rust-lang/setup-rust-toolchain@v1
       - uses: Swatinem/rust-cache@v2
       - run: mkdir ./web/dist