From c175e8ee9b05151a285dd28c71073345044a9ab2 Mon Sep 17 00:00:00 2001 From: Roberto Rossini <71787608+robomics@users.noreply.github.com> Date: Mon, 13 Jan 2025 18:55:11 +0100 Subject: [PATCH 1/2] CodeQL: fix "Unpinned tag for a non-immutable Action in workflow" warnings --- .github/workflows/build-dockerfile.yml | 18 +++++++++--------- .github/workflows/build-package.yml | 2 +- .github/workflows/ci.yml | 8 ++++---- .github/workflows/lint-cff.yml | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build-dockerfile.yml b/.github/workflows/build-dockerfile.yml index 43b00b5..ca3fa74 100644 --- a/.github/workflows/build-dockerfile.yml +++ b/.github/workflows/build-dockerfile.yml @@ -115,7 +115,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 with: images: ${{ steps.build-args.outputs.REPO_LOWERCASE }},ghcr.io/${{ steps.build-args.outputs.REPO_LOWERCASE }} flavor: | @@ -128,32 +128,32 @@ jobs: - name: Login to DockerHub if: github.event_name != 'pull_request' - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # 3.8.0 with: platforms: linux/amd64,linux/arm64 - name: Set up QEMU if: github.event_name != 'pull_request' - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # 3.3.0 with: platforms: arm64 - name: Build Docker image (x86) if: github.event_name != 'pull_request' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: context: ${{ github.workspace }} load: true @@ -171,7 +171,7 @@ jobs: - name: Build Docker image (x86; PR) if: github.event_name == 'pull_request' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: context: ${{ github.workspace }} load: true @@ -191,7 +191,7 @@ jobs: - name: Build Docker image (arm64) if: github.event_name != 'pull_request' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: context: ${{ github.workspace }} push: false @@ -208,7 +208,7 @@ jobs: - name: Push image to registries if: github.event_name != 'pull_request' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: context: ${{ github.workspace }} push: true diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index d8b2bd1..9bfd7c7 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -89,7 +89,7 @@ jobs: name: dist - name: Upload wheels to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # release/1.12.3 with: attestations: true print-hash: true diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ca3fcd4..3eae627 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -141,7 +141,7 @@ jobs: -m unit - name: Upload unit test coverage report to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2 with: flags: "tests | unit | python-${{ matrix.python_version }}" disable_search: true @@ -163,7 +163,7 @@ jobs: -m unit - name: Upload unit test coverage report to Codecov (core) - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2 with: flags: "tests | unit | python-${{ matrix.python_version }} | core" disable_search: true @@ -185,7 +185,7 @@ jobs: -m end2end - name: Upload end2end test coverage report to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2 with: flags: "tests | integration | python-${{ matrix.python_version }}" disable_search: true @@ -207,7 +207,7 @@ jobs: -m end2end - name: Upload end2end test coverage report to Codecov (core) - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2 with: flags: "tests | integration | python-${{ matrix.python_version }} | core" disable_search: true diff --git a/.github/workflows/lint-cff.yml b/.github/workflows/lint-cff.yml index 26ff001..476236a 100644 --- a/.github/workflows/lint-cff.yml +++ b/.github/workflows/lint-cff.yml @@ -54,10 +54,10 @@ jobs: EOF - name: Setup R - uses: r-lib/actions/setup-r@v2 + uses: r-lib/actions/setup-r@473c68190595b311a74f208fba61a8d8c0d4c247 # v2.11.1 - name: Add requirements - uses: r-lib/actions/setup-r-dependencies@v2 + uses: r-lib/actions/setup-r-dependencies@473c68190595b311a74f208fba61a8d8c0d4c247 # v2.11.1 - name: Lint CITATION.cff run: Rscript -e 'cffr::cff_validate("CITATION.cff")' From 41430016905ff1a96edf6b37d90383ff1a5a1c38 Mon Sep 17 00:00:00 2001 From: Roberto Rossini <71787608+robomics@users.noreply.github.com> Date: Mon, 13 Jan 2025 19:06:05 +0100 Subject: [PATCH 2/2] CodeQL: fix "Workflow does not contain permissions" warnings --- .github/workflows/build-dockerfile.yml | 7 +++++-- .github/workflows/build-package.yml | 4 ++++ .github/workflows/cache-test-datasets.yml | 3 +++ .github/workflows/ci.yml | 3 +++ .github/workflows/lint-cff.yml | 3 +++ 5 files changed, 18 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-dockerfile.yml b/.github/workflows/build-dockerfile.yml index ca3fa74..f48e610 100644 --- a/.github/workflows/build-dockerfile.yml +++ b/.github/workflows/build-dockerfile.yml @@ -43,6 +43,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: cache-test-datasets: name: Cache test dataset @@ -53,8 +56,8 @@ jobs: needs: [cache-test-datasets] runs-on: ubuntu-latest permissions: - contents: "read" - packages: "write" + contents: read + packages: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml index 9bfd7c7..76f802b 100644 --- a/.github/workflows/build-package.yml +++ b/.github/workflows/build-package.yml @@ -39,6 +39,10 @@ defaults: run: shell: bash +permissions: + attestations: write + contents: read + jobs: build-package: name: Build package distribution diff --git a/.github/workflows/cache-test-datasets.yml b/.github/workflows/cache-test-datasets.yml index eb7a6d4..d1eb84c 100644 --- a/.github/workflows/cache-test-datasets.yml +++ b/.github/workflows/cache-test-datasets.yml @@ -15,6 +15,9 @@ defaults: run: shell: bash +permissions: + contents: read + env: TEST_MCOOL_NAME: 4DNFI9GMP2J8.mcool TEST_MCOOL_URL: "https://zenodo.org/records/14616548/files/4DNFI9GMP2J8.stripepy.mcool?download=1" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3eae627..c3420d3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,6 +33,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: matrix-factory: name: Generate job matrix diff --git a/.github/workflows/lint-cff.yml b/.github/workflows/lint-cff.yml index 476236a..b759d00 100644 --- a/.github/workflows/lint-cff.yml +++ b/.github/workflows/lint-cff.yml @@ -25,6 +25,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: lint-cff: runs-on: ubuntu-latest