diff --git a/.github/workflows/conduit.yml b/.github/workflows/conduit.yml index 8b2f6a8..2a7cd87 100644 --- a/.github/workflows/conduit.yml +++ b/.github/workflows/conduit.yml @@ -2,6 +2,9 @@ name: API spec on: [push, pull_request] +permissions: + contents: read + jobs: api-spec: name: API spec tests @@ -24,20 +27,20 @@ jobs: options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up Python - uses: actions/setup-python@v2.3.2 + uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a # v2.3.2 with: python-version: ${{ matrix.python-version }} - name: Install Poetry - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: "1.1.12" virtualenvs-in-project: true - name: Set up cache - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 id: cache with: path: .venv diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8002513..0b36156 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -10,6 +10,9 @@ env: DOCKER_USER: ${{ secrets.DOCKER_USER }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} +permissions: + contents: read + jobs: build: name: Build Container @@ -17,7 +20,7 @@ jobs: runs-on: ubuntu-18.04 steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0 - name: Build image and publish to registry run: | diff --git a/.github/workflows/styles.yml b/.github/workflows/styles.yml index 2fdb5f5..0e65638 100644 --- a/.github/workflows/styles.yml +++ b/.github/workflows/styles.yml @@ -2,6 +2,9 @@ name: Styles on: [push, pull_request] +permissions: + contents: read + jobs: lint: name: Lint code @@ -13,20 +16,20 @@ jobs: python-version: [3.9] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up Python - uses: actions/setup-python@v2.3.2 + uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a # v2.3.2 with: python-version: ${{ matrix.python-version }} - name: Install Poetry - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: "1.1.12" virtualenvs-in-project: true - name: Set up cache - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 id: cache with: path: .venv diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f153b47..9f9d639 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -2,6 +2,9 @@ name: Tests on: [push, pull_request] +permissions: + contents: read + jobs: lint: name: Run tests @@ -24,21 +27,21 @@ jobs: options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 steps: - - uses: actions/checkout@master + - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master - name: Set up Python - uses: actions/setup-python@v2.3.2 + uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a # v2.3.2 with: python-version: ${{ matrix.python-version }} - name: Install Poetry - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: "1.1.12" virtualenvs-in-project: true - name: Set up cache - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 id: cache with: path: .venv @@ -60,4 +63,4 @@ jobs: poetry run ./scripts/test - name: Upload coverage to Codecov - uses: codecov/codecov-action@v2.1.0 + uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b # v2.1.0