diff --git a/.github/workflows/build-dockerfile.yml b/.github/workflows/build-dockerfile.yml index 43b00b5..f48e610 100644 --- a/.github/workflows/build-dockerfile.yml +++ b/.github/workflows/build-dockerfile.yml @@ -43,6 +43,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: cache-test-datasets: name: Cache test dataset @@ -53,8 +56,8 @@ jobs: needs: [cache-test-datasets] runs-on: ubuntu-latest permissions: - contents: "read" - packages: "write" + contents: read + packages: write steps: - uses: actions/checkout@v4 with: @@ -115,7 +118,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: ${{ steps.build-args.outputs.REPO_LOWERCASE }},ghcr.io/${{ steps.build-args.outputs.REPO_LOWERCASE }} flavor: | @@ -128,32 +131,32 @@ jobs: - name: Login to DockerHub if: github.event_name != 'pull_request' - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # 3.8.0 with: platforms: linux/amd64,linux/arm64 - name: Set up QEMU if: github.event_name != 'pull_request' - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # 3.3.0 with: platforms: arm64 - name: Build Docker image (x86) if: github.event_name != 'pull_request' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: context: ${{ github.workspace }} load: true @@ -171,7 +174,7 @@ jobs: - name: Build Docker image (x86; PR) if: github.event_name == 'pull_request' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: context: ${{ github.workspace }} load: true @@ -191,7 +194,7 @@ jobs: - name: Build Docker image (arm64) if: github.event_name != 'pull_request' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: context: ${{ github.workspace }} push: false @@ -208,7 +211,7 @@ jobs: - name: Push image to registries if: github.event_name != 'pull_request' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: context: ${{ github.workspace }} push: true diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index d8b2bd1..76f802b 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -39,6 +39,10 @@ defaults: run: shell: bash +permissions: + attestations: write + contents: read + jobs: build-package: name: Build package distribution @@ -89,7 +93,7 @@ jobs: name: dist - name: Upload wheels to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # release/1.12.3 with: attestations: true print-hash: true diff --git a/.github/workflows/cache-test-datasets.yml b/.github/workflows/cache-test-datasets.yml index 597d58d..713ff4b 100644 --- a/.github/workflows/cache-test-datasets.yml +++ b/.github/workflows/cache-test-datasets.yml @@ -15,6 +15,9 @@ defaults: run: shell: bash +permissions: + contents: read + env: TEST_MCOOL_NAME: 4DNFI9GMP2J8.mcool TEST_MCOOL_URL: "https://zenodo.org/records/14638947/files/4DNFI9GMP2J8.stripepy.mcool?download=1" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f0ca448..ae3233b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,6 +33,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: matrix-factory: name: Generate job matrix @@ -130,7 +133,7 @@ jobs: - name: Upload unit test coverage report to Codecov if: (! matrix.minimal_install) - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2 with: flags: "tests | unit | python-${{ matrix.python_version }}" disable_search: true @@ -141,7 +144,7 @@ jobs: - name: Upload unit test coverage report to Codecov (core) if: matrix.minimal_install - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2 with: flags: "tests | unit | python-${{ matrix.python_version }} | core" disable_search: true @@ -163,7 +166,7 @@ jobs: - name: Upload end2end test coverage report to Codecov if: (! matrix.minimal_install) - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2 with: flags: "tests | integration | python-${{ matrix.python_version }}" disable_search: true @@ -174,7 +177,7 @@ jobs: - name: Upload end2end test coverage report to Codecov (core) if: matrix.minimal_install - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2 with: flags: "tests | integration | python-${{ matrix.python_version }} | core" disable_search: true diff --git a/.github/workflows/lint-cff.yml b/.github/workflows/lint-cff.yml index 26ff001..b759d00 100644 --- a/.github/workflows/lint-cff.yml +++ b/.github/workflows/lint-cff.yml @@ -25,6 +25,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: lint-cff: runs-on: ubuntu-latest @@ -54,10 +57,10 @@ jobs: EOF - name: Setup R - uses: r-lib/actions/setup-r@v2 + uses: r-lib/actions/setup-r@473c68190595b311a74f208fba61a8d8c0d4c247 # v2.11.1 - name: Add requirements - uses: r-lib/actions/setup-r-dependencies@v2 + uses: r-lib/actions/setup-r-dependencies@473c68190595b311a74f208fba61a8d8c0d4c247 # v2.11.1 - name: Lint CITATION.cff run: Rscript -e 'cffr::cff_validate("CITATION.cff")'