Skip to content

Commit

Permalink
ci: Improve pipeline security (#346)
Browse files Browse the repository at this point in the history
- Pinpoint NBGV version
- Remove unused configure-pages action
- Give write permission only to deploy-pages action
- Run CodeQL for every pull request
  • Loading branch information
skarllot authored Oct 17, 2024
1 parent 0c6efb8 commit 0daec68
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 9 deletions.
10 changes: 9 additions & 1 deletion .config/dotnet-tools.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,15 @@
"version": "4.0.6",
"commands": [
"dotnet-stryker"
]
],
"rollForward": false
},
"nbgv": {
"version": "3.6.143",
"commands": [
"nbgv"
],
"rollForward": false
}
}
}
1 change: 0 additions & 1 deletion .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ on:
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
paths: [ "src/**", "tests/**", "docs/**", '.github/workflows/codeql.yml' ]
schedule:
- cron: '28 20 * * 1'

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/create-tag.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,10 @@ jobs:
global-json-file: global.json

- name: 🛠️ Setup Nerdbank.GitVersioning
run: dotnet tool install --tool-path . nbgv
run: dotnet tool restore

- name: 🏷️ Tag release
run: ./nbgv tag
run: dotnet nbgv tag

- name: 🚀 Push Git tags
run: git push --tags
8 changes: 3 additions & 5 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,8 @@ on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:

# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
id-token: write

# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
Expand Down Expand Up @@ -48,8 +45,6 @@ jobs:
node-version: 20
cache: npm
cache-dependency-path: docs/package-lock.json
- name: 🌐 Setup Pages
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
- name: 📥 Install dependencies
run: npm ci
- name: 🏗️ Build with VitePress
Expand All @@ -68,6 +63,9 @@ jobs:
url: ${{ steps.deployment.outputs.page_url }}
needs: build
runs-on: ubuntu-latest
permissions:
pages: write # to deploy to Pages
id-token: write # to verify the deployment originates from an appropriate source
name: Deploy
steps:
- name: 🛡️ Harden Runner
Expand Down

0 comments on commit 0daec68

Please sign in to comment.