diff --git a/.github/workflows/ci-site.yml b/.github/workflows/ci-site.yml index 7a349264..d9e2f71b 100644 --- a/.github/workflows/ci-site.yml +++ b/.github/workflows/ci-site.yml @@ -15,6 +15,10 @@ on: - "site/**" - "README.md" - "Dockerfile.site" +permissions: + contents: read + packages: write + jobs: build: @@ -22,14 +26,16 @@ jobs: steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 + with: + persist-credentials: false - name: set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@v4 - name: set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: available platforms run: echo ${{ steps.buildx.outputs.platforms }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 32981d37..c41ec52d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: tags: pull_request: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -18,15 +21,17 @@ jobs: sudo rm -rf /usr/local/share/boost docker system prune -af + - name: checkout + uses: actions/checkout@v6 + with: + persist-credentials: false + - name: set up go 1.25 uses: actions/setup-go@v6 with: go-version: "1.25" id: go - - name: checkout - uses: actions/checkout@v6 - - name: build and test run: | go test -v -timeout=180s -p 1 -covermode=atomic -coverprofile=$GITHUB_WORKSPACE/profile.cov_tmp ./... @@ -47,20 +52,18 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@v9 with: - version: latest + version: "latest" - name: golangci-lint on example directory uses: golangci/golangci-lint-action@v9 with: - version: latest + version: "latest" args: --config ../../.golangci.yml working-directory: examples/plugin - - name: install goveralls - run: | - go install github.com/mattn/goveralls@latest - - name: submit coverage - run: $(go env GOPATH)/bin/goveralls -service="github" -coverprofile=$GITHUB_WORKSPACE/profile.cov + run: | + go install github.com/mattn/goveralls@latest + goveralls -service="github" -coverprofile=$GITHUB_WORKSPACE/profile.cov env: COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 4cd0af79..622e83a5 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -6,20 +6,19 @@ on: types: [completed] # NOTE: Do NOT add `branches:` filter here - it breaks tag builds +permissions: + contents: read + packages: write + env: REGISTRY_GHCR: ghcr.io REGISTRY_DOCKER: docker.io IMAGE_NAME: ${{ github.actor }}/reproxy -permissions: - contents: read - packages: write - jobs: build: if: >- github.event.workflow_run.conclusion == 'success' && - github.event.workflow_run.event == 'push' && (github.event.workflow_run.head_branch == 'master' || startsWith(github.event.workflow_run.head_branch, 'v')) strategy: @@ -39,19 +38,20 @@ jobs: uses: actions/checkout@v6 with: ref: ${{ github.event.workflow_run.head_sha }} + persist-credentials: false - name: set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: login to ghcr.io - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.PKG_TOKEN }} - name: login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: username: ${{ github.actor }} password: ${{ secrets.DOCKER_HUB_TOKEN }} @@ -65,7 +65,7 @@ jobs: - name: build and push to ghcr.io id: build-ghcr - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . platforms: ${{ matrix.platform }} @@ -77,7 +77,7 @@ jobs: - name: build and push to Docker Hub id: build-dockerhub - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . platforms: ${{ matrix.platform }} @@ -96,7 +96,7 @@ jobs: touch "/tmp/digests/dockerhub/${digest_dockerhub#sha256:}" - name: upload ghcr digest - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: digests-ghcr-${{ matrix.artifact }} path: /tmp/digests/ghcr/* @@ -104,7 +104,7 @@ jobs: retention-days: 1 - name: upload dockerhub digest - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: digests-dockerhub-${{ matrix.artifact }} path: /tmp/digests/dockerhub/* @@ -117,14 +117,14 @@ jobs: steps: - name: download ghcr digests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: path: /tmp/digests/ghcr pattern: digests-ghcr-* merge-multiple: true - name: download dockerhub digests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: path: /tmp/digests/dockerhub pattern: digests-dockerhub-* @@ -148,17 +148,17 @@ jobs: echo "All $expected digests present for both registries" - name: set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: login to ghcr.io - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.PKG_TOKEN }} - name: login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: username: ${{ github.actor }} password: ${{ secrets.DOCKER_HUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8bab8017..a5f05e95 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,9 @@ on: tags: - 'v*' +permissions: + contents: write + jobs: goreleaser: runs-on: ubuntu-latest @@ -13,6 +16,7 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: set up go uses: actions/setup-go@v6 @@ -20,7 +24,7 @@ jobs: go-version: "1.25" - name: run goreleaser - uses: goreleaser/goreleaser-action@v6 + uses: goreleaser/goreleaser-action@v7 with: version: ~> 1.25 args: release --clean diff --git a/.golangci.yml b/.golangci.yml index b6a2a5db..501ff21f 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -26,6 +26,7 @@ linters: gosec: excludes: - G117 + - G118 - G704 goconst: min-len: 2