diff --git a/.github/workflows/ci_production.yml b/.github/workflows/ci_production.yml index 75be357..85a65c2 100644 --- a/.github/workflows/ci_production.yml +++ b/.github/workflows/ci_production.yml @@ -5,6 +5,9 @@ on: tags: - '*' +permissions: + contents: read + env: API_IMAGE: email/api APP_IMAGE: email/app @@ -17,12 +20,14 @@ jobs: steps: - name: Checkout PR branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.ref }} - name: Pull changes from branch - run: git pull origin ${{ github.ref }} + env: + GIT_REF: ${{ github.ref }} + run: git pull origin "$GIT_REF" - name: create app/.env file run: | diff --git a/.github/workflows/ci_staging.yml b/.github/workflows/ci_staging.yml index 0ff4d17..6e52658 100644 --- a/.github/workflows/ci_staging.yml +++ b/.github/workflows/ci_staging.yml @@ -5,6 +5,9 @@ on: branches: - staging +permissions: + contents: read + env: API_IMAGE: email/api APP_IMAGE: email/app @@ -17,7 +20,7 @@ jobs: steps: - name: Checkout PR branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: 'staging' diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 1f9dd94..9044f04 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -9,12 +9,16 @@ on: pull_request: branches: - main + +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: - name: Checkout PR branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.ref }} - name: Set up sparse checkout @@ -22,12 +26,14 @@ jobs: git sparse-checkout init --cone git sparse-checkout set api - name: Pull changes from PR branch - run: git pull origin ${{ github.event.pull_request.head.ref }} + env: + HEAD_REF: ${{ github.event.pull_request.head.ref }} + run: git pull origin "$HEAD_REF" - name: Move directory run: | mv api/* . - name: Set up Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4 with: go-version: '1.23' - name: Build diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml index 247f211..8518491 100644 --- a/.github/workflows/gosec.yml +++ b/.github/workflows/gosec.yml @@ -6,6 +6,10 @@ on: pull_request: branches: - main + +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest @@ -13,7 +17,7 @@ jobs: GO111MODULE: on steps: - name: Checkout PR branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.event.pull_request.head.ref }} - name: Set up sparse checkout @@ -21,11 +25,13 @@ jobs: git sparse-checkout init --cone git sparse-checkout set api - name: Pull changes from PR branch - run: git pull origin ${{ github.event.pull_request.head.ref }} + env: + HEAD_REF: ${{ github.event.pull_request.head.ref }} + run: git pull origin "$HEAD_REF" - name: Move directory run: | mv api/* . - name: Run Gosec Security Scanner - uses: securego/gosec@master + uses: securego/gosec@bb17e422fc34bf4c0a2e5cab9d07dc45a68c040c # v2.24.7 with: args: '-exclude=G101,G402,G505,G117,G122 -exclude-dir=gomail.v2 ./...' \ No newline at end of file diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 8de0045..9605abe 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -18,7 +18,7 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v5 + - uses: actions/stale@f7176fd3007623b69d27091f9b9d4ab7995f0a06 # v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'This issue is stale because it has been open 60 days with no activity.'