diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 86a6414..5c4c585 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,11 +7,15 @@ on: release: types: [ released ] +permissions: {} + jobs: linting: + permissions: + contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: @@ -24,6 +28,8 @@ jobs: run: uv run pre-commit run --all-files test-app: + permissions: + contents: read runs-on: ubuntu-latest strategy: matrix: @@ -33,7 +39,7 @@ jobs: run: docker network create ganache - name: Setup and run ganache run: docker run --detach --publish 8545:8545 --network ganache -e DOCKER=true trufflesuite/ganache:latest --defaultBalanceEther 10000 --gasLimit 10000000 -a 30 --chain.chainId 1337 --chain.networkId 1337 -d - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: @@ -48,28 +54,32 @@ jobs: uv run coverage combine uv run coverage lcov -o coverage.lcov - name: Coveralls Parallel - uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: file: coverage.lcov flag-name: run-${{ matrix.python-version }} parallel: true finish: + permissions: + contents: read needs: test-app if: ${{ always() }} runs-on: ubuntu-latest steps: - name: Coveralls Finished - uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: parallel-finished: true publish: + permissions: + contents: read runs-on: ubuntu-latest needs: test-app if: github.event_name == 'release' && github.event.action == 'released' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install uv uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: @@ -82,22 +92,24 @@ jobs: UV_PUBLISH_PASSWORD: ${{ secrets.PYPI_TOKEN }} docker-deploy: + permissions: + contents: read runs-on: ubuntu-latest needs: test-app if: github.event_name == 'release' && github.event.action == 'released' steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 with: platforms: arm64 - - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Dockerhub login - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: ${{ secrets.DOCKER_USER }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Deploy Tag - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: context: . file: Dockerfile diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index fd4dbde..2b3c1a8 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -5,8 +5,12 @@ on: pull_request_target: types: [ opened,closed,synchronize ] +permissions: {} + jobs: CLAssistant: + permissions: + contents: read runs-on: ubuntu-latest steps: - name: "CLA Assistant"