From 9b8e214a90332aa46e9b20ebde94aeff00ffb3fc Mon Sep 17 00:00:00 2001 From: Kevin Dangoor Date: Tue, 3 Dec 2024 22:23:02 +0000 Subject: [PATCH] Pin setup-ruby and set permissions in test workflow Fixes for code scanning results --- .github/workflows/licensed.yml | 6 ++--- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 43 ++++++++++++++++++---------------- docs/migrations/v3.md | 18 +++++++------- 4 files changed, 36 insertions(+), 33 deletions(-) diff --git a/.github/workflows/licensed.yml b/.github/workflows/licensed.yml index 8975fbe8..4b0e47d0 100644 --- a/.github/workflows/licensed.yml +++ b/.github/workflows/licensed.yml @@ -25,7 +25,7 @@ jobs: - uses: actions/checkout@v4 # set up tooling - - uses: ruby/setup-ruby@v1 + - uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true @@ -34,7 +34,7 @@ jobs: with: # override the command to use licensed built from this repo command: bundle exec licensed - + # changes made using GITHUB_TOKEN will not re-trigger this action. # set a custom token so that added or changed cached license files # will cause this workflow to run and validate cached contents @@ -42,7 +42,7 @@ jobs: # see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow # for additional details on GITHUB_TOKEN not re-triggering this action github_token: ${{ secrets.GITHUB_TOKEN }} - + # the "push" workflow updates license metadata files on the branch being examined. # e.g. when the action is run on main, changes are pushed to main diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a919a099..213c9c7a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,7 +15,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc - name: Publish to GPR run: | diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d1eceff9..320e0c0a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,9 @@ name: Test on: pull_request +permissions: + contents: read + jobs: bower: runs-on: ubuntu-latest @@ -15,7 +18,7 @@ jobs: - name: Install Bower run: npm install -g bower - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - name: Set up fixtures @@ -32,7 +35,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler: ${{ matrix.bundler }} bundler-cache: true @@ -50,7 +53,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - name: Setup Haskell @@ -78,7 +81,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - name: Setup Rust toolchain @@ -104,7 +107,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - name: Set up fixtures @@ -126,7 +129,7 @@ jobs: with: php-version: ${{ matrix.php }} - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - name: Set up fixtures @@ -142,7 +145,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: ruby-version: ${{matrix.ruby}} bundler-cache: true @@ -164,7 +167,7 @@ jobs: with: go-version: ${{ matrix.go }} - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true @@ -190,7 +193,7 @@ jobs: cache: true cache-dependency-path: test/fixtures/go/src/test/go.sum - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - name: Set up fixtures @@ -212,7 +215,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - name: Set up Java @@ -236,7 +239,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - name: Run tests @@ -256,7 +259,7 @@ jobs: otp-version: ${{matrix.otp}} elixir-version: ${{matrix.elixir}} - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - name: Set up fixtures @@ -279,7 +282,7 @@ jobs: cache: npm cache-dependency-path: test/fixtures/npm/package-lock.json - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - name: Set up fixtures @@ -300,7 +303,7 @@ jobs: with: dotnet-version: ${{ matrix.dotnet }} - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - name: Set up fixtures @@ -323,7 +326,7 @@ jobs: architecture: x64 cache: pip - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true @@ -349,7 +352,7 @@ jobs: architecture: x64 cache: pipenv - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true @@ -390,7 +393,7 @@ jobs: ${{ runner.os }}-pnpm-store- - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true @@ -412,7 +415,7 @@ jobs: with: swift-version: ${{ matrix.swift }} - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - uses: actions/cache@v4 @@ -447,7 +450,7 @@ jobs: env: YARN_VERSION: ${{ matrix.yarn_version }} - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - name: Set up fixtures @@ -469,7 +472,7 @@ jobs: - name: Install Yarn run: npm install -g yarn - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: bundler-cache: true - name: Set up fixtures diff --git a/docs/migrations/v3.md b/docs/migrations/v3.md index 6fbd32eb..3186fd4b 100644 --- a/docs/migrations/v3.md +++ b/docs/migrations/v3.md @@ -16,7 +16,7 @@ Using licensed to enumerate bundler dependencies in a GitHub Actions workflow wi If you are using licensed in a GitHub Actions workflow, [github/setup-licensed](https://github.com/github/setup-licensed) has been updated according to this breaking change. `setup-licensed` will install the licensed gem when ruby is available, or the licensed executable when ruby is not available. Alternatively, you can `gem install` licensed directly as an actions step. -This is an example workflow definition that runs [github/licensed-ci](https://github.com/github/licensed-ci)'s opinionated license compliance workflow in CI. It includes jobs that demonstrate installing licensed using +This is an example workflow definition that runs [github/licensed-ci](https://github.com/github/licensed-ci)'s opinionated license compliance workflow in CI. It includes jobs that demonstrate installing licensed using - `gem install` - [github/setup-licensed](https://github.com/github/setup-licensed) - installing when included in a bundler gem file @@ -43,9 +43,9 @@ jobs: steps: # checkout the repo - uses: actions/checkout@v1 - + # install ruby - - uses: ruby/setup-ruby@v1 + - uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: ruby-version: "3.0" @@ -60,8 +60,8 @@ jobs: # run licensed-ci to cache any metadata changes and verify compliance - uses: github/licensed-ci@v1 - # OR - + # OR + # install licensed using gem install licensed-ci-gem: runs-on: ubuntu-latest @@ -69,9 +69,9 @@ jobs: steps: # checkout the repo - uses: actions/checkout@v1 - + # install ruby and bundler - - uses: ruby/setup-ruby@v1 + - uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: ruby-version: "3.0" @@ -93,9 +93,9 @@ jobs: steps: # checkout the repo - uses: actions/checkout@v1 - + # install ruby and bundler - - uses: ruby/setup-ruby@v1 + - uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc with: ruby-version: "3.0"