diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml index 3f6a2a13..5c05b7fe 100644 --- a/.github/workflows/dependabot-auto-merge.yaml +++ b/.github/workflows/dependabot-auto-merge.yaml @@ -1,11 +1,13 @@ name: Dependabot auto-merge on: pull_request permissions: - contents: write - pull-requests: write + contents: read jobs: dependabot-auto-merge: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write if: ${{ github.actor == 'dependabot[bot]' && !github.event.pull_request.auto_merge }} steps: - name: Approve a PR diff --git a/.github/workflows/hugo.yml b/.github/workflows/hugo.yml index 0b630bb6..65a2f12f 100644 --- a/.github/workflows/hugo.yml +++ b/.github/workflows/hugo.yml @@ -11,19 +11,20 @@ on: permissions: contents: read - pages: write - id-token: write concurrency: group: "pages" cancel-in-progress: false jobs: build: runs-on: ubuntu-latest + permissions: + pages: write + id-token: write steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set Node.js 20 - uses: actions/setup-node@v6 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: 20 - name: Install yarn @@ -34,7 +35,7 @@ jobs: run: yarn run dprint check - name: Setup Pages id: pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: Build with Hugo run: | yarn run hugo \ @@ -42,7 +43,7 @@ jobs: --themesDir ../.. \ --baseURL "${{ steps.pages.outputs.base_url }}" - name: Upload artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 with: path: ./public deploy: @@ -50,8 +51,11 @@ jobs: name: github-pages url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest + permissions: + pages: write + id-token: write needs: build steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 44b577c6..db14f5e8 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -8,19 +8,22 @@ on: - CONTRIBUTING.md - CODE_OF_CONDUCT.md +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: 20 - run: npm install -g yarn - run: yarn install - run: yarn run hugo - run: yarn run dprint check - - uses: score-spec/setup-score@v3 + - uses: score-spec/setup-score@9ce358a6641972930fbf1c91d93185fec520f7e4 # v3.1.8 with: file: score-compose token: ${{ secrets.GITHUB_TOKEN }} @@ -31,4 +34,4 @@ jobs: - run: | docker compose up --build -d - run: | - curl $(score-compose resources get-outputs dns.default#score-docs.dns --format '{{ .host }}:8080/docs/') \ No newline at end of file + curl $(score-compose resources get-outputs dns.default#score-docs.dns --format '{{ .host }}:8080/docs/') diff --git a/.github/workflows/scheduled-generated.yml b/.github/workflows/scheduled-generated.yml index ae720dec..7aaf2b30 100644 --- a/.github/workflows/scheduled-generated.yml +++ b/.github/workflows/scheduled-generated.yml @@ -7,11 +7,11 @@ jobs: update: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: 22.x cache: "npm" @@ -33,7 +33,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Create Pull Request - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "chore: update generated content"