Skip to content

ci: harden workflows, upgrade actions, fix caching#54

Merged
umputun merged 3 commits intoumputun:masterfrom
paskal:ci/workflow-hardening
Mar 16, 2026
Merged

ci: harden workflows, upgrade actions, fix caching#54
umputun merged 3 commits intoumputun:masterfrom
paskal:ci/workflow-hardening

Conversation

@paskal
Copy link
Contributor

@paskal paskal commented Mar 7, 2026

Changes

  • Reorder checkout before setup-go for proper dependency caching
  • Upgrade all GitHub Actions to latest versions (buildx v4, qemu v4, login v4, build-push v7, upload-artifact v7, download-artifact v8, goreleaser v7)
  • Add permissions: contents: read for least-privilege security (release.yml gets contents: write, ci.yml/ci-site.yml get packages: write)
  • Add persist-credentials: false to checkout steps
  • Pin golangci-lint-action version to v2.11.1

Note: golangci-lint v2.11.1 reports 2 code-level gosec G118/G706 issues that exist on master — not introduced by this PR.

Verified golangci-lint config is valid with v2.11.1.

@paskal paskal requested a review from umputun as a code owner March 7, 2026 19:36
paskal added 2 commits March 7, 2026 20:32
@paskal paskal force-pushed the ci/workflow-hardening branch from 02bec8e to d43032c Compare March 8, 2026 00:47
@umputun umputun merged commit fc27d6b into umputun:master Mar 16, 2026
4 checks passed
@paskal paskal deleted the ci/workflow-hardening branch March 16, 2026 07:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@umputun umputun umputun approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@paskal @umputun