GHA: license check and action pinning (#7)

stephen-derosa · web-flow · commit f231c0c75028 · 2026-04-09T13:37:29.000-06:00
diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml
@@ -7,11 +7,29 @@ on:
     branches: ["main"]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 jobs:
+  license-check:
+    name: License Check
+    uses: ./.github/workflows/license_check.yml
+    permissions:
+      contents: read
+
+  pin-check:
+    name: Pin Check
+    uses: ./.github/workflows/pin_check.yml
+    permissions:
+      contents: read
+
   build:
+    needs:
+      - license-check
+      - pin-check
     strategy:
       fail-fast: false
       matrix:
@@ -25,10 +43,12 @@ jobs:
 
     name: Build (${{ matrix.name }})
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       # ---------- deps ----------
       - name: Install deps (Ubuntu)
@@ -68,7 +88,7 @@ jobs:
 
       - name: Setup MSVC (Windows)
         if: runner.os == 'Windows'
-        uses: ilammy/msvc-dev-cmd@v1
+        uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
         with:
           arch: x64
 
@@ -159,7 +179,7 @@ jobs:
 
       # ---------- upload build output ----------
       - name: Upload binary
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: basic_room-${{ matrix.name }}
           path: |
diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml
@@ -0,0 +1,37 @@
+# Copyright 2026 LiveKit, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: License Check
+on:
+  workflow_call: {}
+  workflow_dispatch: {}
+
+jobs:
+  license-check:
+    name: License Check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Check License Headers
+        shell: bash
+        run: |
+          shopt -s globstar nullglob
+          # ghcr.io/google/addlicense v1.2.0
+          docker run --rm -v "${PWD}:/src" -w /src ghcr.io/google/addlicense@sha256:5a48f41ccc8cf3fdd04499649f02a9ee5877ab6f39fd1ac18fd1db5eb1062c5a \
+            -check \
+            -l apache \
+            **/*.{cpp,h,hpp}
diff --git a/.github/workflows/pin_check.yml b/.github/workflows/pin_check.yml
@@ -0,0 +1,32 @@
+# Copyright 2026 LiveKit, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Pin Check
+on:
+  workflow_call: {}
+  workflow_dispatch:
+
+jobs:
+  pin-check:
+    name: Pin Check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Pin Check
+        uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
+        with:
+          skip_push: true
diff --git a/simple_data_stream/main.cpp b/simple_data_stream/main.cpp
@@ -1,3 +1,19 @@
+/*
+ * Copyright 2026 LiveKit, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 #include <atomic>
 #include <csignal>
 #include <cstdlib>
