-
Notifications
You must be signed in to change notification settings - Fork 202
48 lines (42 loc) · 1.92 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# This is a simple GitHub Actions CI workflow.
name: CI
# Limit permissions. See:
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
# https://github.com/actions/first-interaction/issues/10#issuecomment-1041402989
# Since we set "permissions", anything unset has access "none".
permissions:
contents: read
checks: write
# Controls when the action will run. Triggers the workflow on push or pull
# request events but only for the main branch (formerly the master branch)
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Use harden-runner https://github.com/step-security/harden-runner
# presented at OpenSSF Best Practices WG 2022-03-15
- uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
# Checks-out your repository under $GITHUB_WORKSPACE,
# so your job can access it.
# As required by OpenSSF Scorecard,
# we pin this to a specific hash value to prevent use of an unknown
# (and possibly subverted) version.
# Update by consulting: https://github.com/actions/checkout/releases
# We include the hash after '@', and comment "pin @SIMPLE-NAME"; this is
# the naming convention of https://github.com/mheap/pin-github-action
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # pin @v4.1
# Runs a single command using the runners shell
- name: Run a one-line script
run: echo Hello, world!