Skip to content

Commit 04a6dc0

Browse files
Rob-HagueCopilot
Rob-Hague
and
Copilot
authored
Harden actions (#1784)
* Harden actions - Pin remaining actions - Specify top-level/default `permissions: contents: read` in build.yml - Set `persist-credentials: false` on checkout - Add an environment for nuget publish job and use `release` event trigger - Add dependabot cooldown * Update .github/workflows/build.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
1 parent 25a931c commit 04a6dc0

File tree

3 files changed

+48
-29
lines changed

3 files changed

+48
-29
lines changed

.github/dependabot.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,14 +9,14 @@ updates:
99
directory: "/test/Renci.SshNet.IntegrationTests/"
1010
schedule:
1111
interval: "monthly"
12+
cooldown:
13+
default-days: 7
1214

1315
- package-ecosystem: "nuget"
1416
directory: "/"
1517
schedule:
1618
interval: "monthly"
1719
ignore: # See justifications in Directory.Packages.props
18-
- dependency-name: "Microsoft.Bcl.AsyncInterfaces"
19-
2020
- dependency-name: "System.Formats.Asn1"
2121
update-types: ["version-update:semver-major"]
2222

@@ -26,8 +26,12 @@ updates:
2626
dependencies:
2727
patterns:
2828
- "*"
29+
cooldown:
30+
default-days: 7
2931

3032
- package-ecosystem: "github-actions"
3133
directory: "/"
3234
schedule:
3335
interval: "monthly"
36+
cooldown:
37+
default-days: 7

.github/workflows/build.yml

Lines changed: 34 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,30 @@
11
name: Build
22

33
on:
4-
- push
5-
- pull_request
6-
- workflow_dispatch
4+
push:
5+
branches-ignore:
6+
- 'dependabot/**'
7+
- 'copilot/**'
8+
pull_request:
9+
release:
10+
types: [published]
11+
workflow_dispatch:
12+
13+
permissions:
14+
contents: read
715

816
jobs:
917
Linux:
1018
runs-on: ubuntu-24.04
1119
steps:
1220
- name: Checkout
13-
uses: actions/checkout@v6
21+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1422
with:
1523
fetch-depth: 0 # needed for Nerdbank.GitVersioning
24+
persist-credentials: false
1625

1726
- name: Setup .NET
18-
uses: actions/setup-dotnet@v5
27+
uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
1928

2029
- name: Build Unit Tests .NET
2130
run: dotnet build -f net10.0 test/Renci.SshNet.Tests/
@@ -48,7 +57,7 @@ jobs:
4857
test/Renci.SshNet.IntegrationTests/
4958
5059
- name: Archive Coverlet Results
51-
uses: actions/upload-artifact@v6
60+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
5261
with:
5362
name: Coverlet Results Linux
5463
path: coverlet
@@ -57,12 +66,13 @@ jobs:
5766
runs-on: windows-2025
5867
steps:
5968
- name: Checkout
60-
uses: actions/checkout@v6
69+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
6170
with:
6271
fetch-depth: 0 # needed for Nerdbank.GitVersioning
72+
persist-credentials: false
6373

6474
- name: Setup .NET
65-
uses: actions/setup-dotnet@v5
75+
uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
6676

6777
- name: Build Solution
6878
run: dotnet build Renci.SshNet.slnx
@@ -74,7 +84,7 @@ jobs:
7484
run: dotnet pack
7585

7686
- name: Archive NuGet Package
77-
uses: actions/upload-artifact@v6
87+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
7888
with:
7989
name: NuGet Package
8090
path: src/Renci.SshNet/bin/Release/*.*nupkg
@@ -108,15 +118,16 @@ jobs:
108118
runs-on: windows-2025
109119
steps:
110120
- name: Checkout
111-
uses: actions/checkout@v6
121+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
112122
with:
113123
fetch-depth: 0 # needed for Nerdbank.GitVersioning
124+
persist-credentials: false
114125

115126
- name: Setup .NET
116-
uses: actions/setup-dotnet@v5
127+
uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
117128

118129
- name: Setup WSL2
119-
uses: Vampire/setup-wsl@6a8db447be7ed35f2f499c02c6e60ff77ef11278 # v6.0.0
130+
uses: Vampire/setup-wsl@d1da7f2c0322a5ee4f24975344f67fc0f5baf364 # v7.0.0
120131
with:
121132
distribution: Ubuntu-24.04
122133

@@ -140,7 +151,7 @@ jobs:
140151
test\Renci.SshNet.IntegrationTests\
141152

142153
- name: Archive Coverlet Results
143-
uses: actions/upload-artifact@v6
154+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
144155
with:
145156
name: Coverlet Results Windows .NET Framework
146157
path: coverlet
@@ -150,15 +161,16 @@ jobs:
150161
runs-on: windows-2025
151162
steps:
152163
- name: Checkout
153-
uses: actions/checkout@v6
164+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
154165
with:
155166
fetch-depth: 0 # needed for Nerdbank.GitVersioning
167+
persist-credentials: false
156168

157169
- name: Setup .NET
158-
uses: actions/setup-dotnet@v5
170+
uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
159171

160172
- name: Setup WSL2
161-
uses: Vampire/setup-wsl@6a8db447be7ed35f2f499c02c6e60ff77ef11278 # v6.0.0
173+
uses: Vampire/setup-wsl@d1da7f2c0322a5ee4f24975344f67fc0f5baf364 # v7.0.0
162174
with:
163175
distribution: Ubuntu-24.04
164176

@@ -182,7 +194,7 @@ jobs:
182194
test\Renci.SshNet.IntegrationTests\
183195

184196
- name: Archive Coverlet Results
185-
uses: actions/upload-artifact@v6
197+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
186198
with:
187199
name: Coverlet Results Windows .NET
188200
path: coverlet
@@ -200,7 +212,7 @@ jobs:
200212
- Windows-Integration-Tests-Net
201213
steps:
202214
- name: Download NuGet Package
203-
uses: actions/download-artifact@v7
215+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
204216
with:
205217
name: NuGet Package
206218

@@ -219,7 +231,8 @@ jobs:
219231
Publish-NuGet-Package:
220232
name: Publish NuGet Package
221233
runs-on: ubuntu-24.04
222-
if: startsWith(github.event.ref, 'refs/tags/20')
234+
if: github.event_name == 'release'
235+
environment: nuget-publish
223236
permissions:
224237
id-token: write
225238
needs:
@@ -229,12 +242,12 @@ jobs:
229242
- Windows-Integration-Tests-Net
230243
steps:
231244
- name: Download NuGet Package
232-
uses: actions/download-artifact@v7
245+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
233246
with:
234247
name: NuGet Package
235248

236249
- name: NuGet login (OIDC → temp API key)
237-
uses: NuGet/login@v1
250+
uses: NuGet/login@d22cc5f58ff5b88bf9bd452535b4335137e24544 # v1.1.0
238251
id: login
239252
with:
240253
user: ${{ secrets.NUGET_USER }}

.github/workflows/docs.yml

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -19,16 +19,18 @@ jobs:
1919
environment:
2020
name: github-pages
2121
url: ${{ steps.deployment.outputs.page_url }}
22-
runs-on: ubuntu-latest
22+
runs-on: ubuntu-24.04
2323
steps:
2424
- name: Checkout repository
25-
uses: actions/checkout@v6
25+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
26+
with:
27+
persist-credentials: false
2628

2729
- name: Setup Pages
28-
uses: actions/configure-pages@v5
30+
uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
2931

3032
- name: Setup .NET
31-
uses: actions/setup-dotnet@v5
33+
uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
3234

3335
- name: Setup docfx
3436
run: dotnet tool update -g docfx
@@ -37,10 +39,10 @@ jobs:
3739
run: docfx ./docfx/docfx.json
3840

3941
- name: Upload documentation
40-
uses: actions/upload-pages-artifact@v4
42+
uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
4143
with:
4244
path: './docfx/_site'
4345

4446
- name: Deploy to GitHub Pages
4547
id: deployment
46-
uses: actions/deploy-pages@v4
48+
uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0

0 commit comments

Comments
 (0)