From 9319702f80b1863ce97f5e06a5278e5bd375bb31 Mon Sep 17 00:00:00 2001 From: masamallow <77992722+masamallow@users.noreply.github.com> Date: Tue, 25 Mar 2025 13:43:41 +0900 Subject: [PATCH 1/9] Refine CI permissions: more strictly --- .github/workflows/ci.yml | 4 ++++ .github/workflows/release-prepare.yml | 8 ++++---- .github/workflows/release-publish.yml | 5 +++-- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e781dc2..68a235e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,12 +6,16 @@ on: pull_request: branches: [ main ] +permissions: { } + env: CARGO_TERM_COLOR: always jobs: build-n-test: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Check out code uses: actions/checkout@v4 diff --git a/.github/workflows/release-prepare.yml b/.github/workflows/release-prepare.yml index ea73281..9a36fd9 100644 --- a/.github/workflows/release-prepare.yml +++ b/.github/workflows/release-prepare.yml @@ -3,9 +3,7 @@ name: Prepare Release on: workflow_dispatch: -permissions: - contents: write - pull-requests: write +permissions: { } env: CARGO_TERM_COLOR: always @@ -13,7 +11,9 @@ env: jobs: crate-release-pull-request: runs-on: ubuntu-latest - + permissions: + contents: write + pull-requests: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index b4beb8f..1c18d27 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -6,12 +6,13 @@ name: Publish Release # tags: # - 'v*.*.*' +permissions: { } + jobs: release: runs-on: ubuntu-latest permissions: - contents: write - + contents: read steps: - uses: actions/checkout@v4 From db177e43cd9582c13698cef73f71ba66f6053efb Mon Sep 17 00:00:00 2001 From: masamallow <77992722+masamallow@users.noreply.github.com> Date: Tue, 25 Mar 2025 13:47:56 +0900 Subject: [PATCH 2/9] Comment on signing commit for security --- .github/workflows/release-prepare.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-prepare.yml b/.github/workflows/release-prepare.yml index 9a36fd9..9c5e948 100644 --- a/.github/workflows/release-prepare.yml +++ b/.github/workflows/release-prepare.yml @@ -22,6 +22,7 @@ jobs: # TODO Consider using `taiki-e/install-action` instead of `baptiste0928/cargo-install`. # See: https://github.com/taiki-e/install-action + # TODO Set `sign-commit` field or `--sign-commit` flag, OR don't use cargo-release. - name: Install cargo-release from crates.io uses: baptiste0928/cargo-install@v3 with: From edd715d3854a560441399ea22a71bcdf71dfda3e Mon Sep 17 00:00:00 2001 From: masamallow <77992722+masamallow@users.noreply.github.com> Date: Tue, 25 Mar 2025 14:00:19 +0900 Subject: [PATCH 3/9] Comment on signing commit for security --- .github/workflows/release-prepare.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-prepare.yml b/.github/workflows/release-prepare.yml index 9c5e948..d7f0dfb 100644 --- a/.github/workflows/release-prepare.yml +++ b/.github/workflows/release-prepare.yml @@ -22,7 +22,7 @@ jobs: # TODO Consider using `taiki-e/install-action` instead of `baptiste0928/cargo-install`. # See: https://github.com/taiki-e/install-action - # TODO Set `sign-commit` field or `--sign-commit` flag, OR don't use cargo-release. + # TODO Exec with `--sign` flag, OR don't use cargo-release. - name: Install cargo-release from crates.io uses: baptiste0928/cargo-install@v3 with: From 96913d23ec7e2b96f5dbf64bf1f4213bff252f09 Mon Sep 17 00:00:00 2001 From: masamallow <77992722+masamallow@users.noreply.github.com> Date: Tue, 25 Mar 2025 14:30:42 +0900 Subject: [PATCH 4/9] Enable signing commit for cargo release --- .github/workflows/release-prepare.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-prepare.yml b/.github/workflows/release-prepare.yml index d7f0dfb..1e1b03e 100644 --- a/.github/workflows/release-prepare.yml +++ b/.github/workflows/release-prepare.yml @@ -22,7 +22,6 @@ jobs: # TODO Consider using `taiki-e/install-action` instead of `baptiste0928/cargo-install`. # See: https://github.com/taiki-e/install-action - # TODO Exec with `--sign` flag, OR don't use cargo-release. - name: Install cargo-release from crates.io uses: baptiste0928/cargo-install@v3 with: @@ -68,6 +67,7 @@ jobs: --no-tag \ --no-confirm \ --execute \ + --sign \ --verbose new_version=$(cargo pkgid | cut -d@ -f2) echo "Proposed new version=$new_version" From bca78cf76201428c4df2d15e5d1402292e6dd506 Mon Sep 17 00:00:00 2001 From: masamallow <77992722+masamallow@users.noreply.github.com> Date: Tue, 25 Mar 2025 18:34:53 +0900 Subject: [PATCH 5/9] Update checkout steps to disable persist-credential --- .github/workflows/ci.yml | 4 +++- .github/workflows/release-prepare.yml | 4 +++- .github/workflows/release-publish.yml | 5 ++++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 68a235e..2bd062a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,8 +17,10 @@ jobs: permissions: contents: read steps: - - name: Check out code + - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Cache dependencies uses: Swatinem/rust-cache@v2 diff --git a/.github/workflows/release-prepare.yml b/.github/workflows/release-prepare.yml index 1e1b03e..3c7cd73 100644 --- a/.github/workflows/release-prepare.yml +++ b/.github/workflows/release-prepare.yml @@ -15,10 +15,12 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@v4 + - name: Checkout code + uses: actions/checkout@v4 with: fetch-depth: 0 fetch-tags: true + persist-credentials: false # TODO Consider using `taiki-e/install-action` instead of `baptiste0928/cargo-install`. # See: https://github.com/taiki-e/install-action diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index 1c18d27..6c2d88d 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -14,7 +14,10 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 + - name: Checkout code + uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create tag # TODO fetch version and create tag From 8a9a17356e6361e17676898ca194b508210f7553 Mon Sep 17 00:00:00 2001 From: masamallow <77992722+masamallow@users.noreply.github.com> Date: Tue, 25 Mar 2025 18:35:22 +0900 Subject: [PATCH 6/9] fix ci and comment --- .github/workflows/release-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index 6c2d88d..5a24f9e 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -19,8 +19,8 @@ jobs: with: persist-credentials: false - - name: Create tag - # TODO fetch version and create tag + # TODO fetch version and create tag + #- name: Create tag # TODO create release ?? From b44aa67bcbd0c1d18e112e8e5e28a31497e0f987 Mon Sep 17 00:00:00 2001 From: masamallow <77992722+masamallow@users.noreply.github.com> Date: Tue, 25 Mar 2025 18:37:07 +0900 Subject: [PATCH 7/9] Add Pinact workflow for managing action versions: avoid actions version vulnerability --- .github/workflows/pinact.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/pinact.yml diff --git a/.github/workflows/pinact.yml b/.github/workflows/pinact.yml new file mode 100644 index 0000000..8ab34fa --- /dev/null +++ b/.github/workflows/pinact.yml @@ -0,0 +1,23 @@ +name: Pinact + +on: + pull_request: + branches: + - main + +permissions: { } + +jobs: + pinact: + runs-on: ubuntu-24.04 + permissions: + contents: write + workflows: write + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Pin actions + uses: suzuki-shunsuke/pinact-action@d735505f3decf76fca3fdbb4c952e5b3eba0ffdd # v0.1.2 From 0c0f0c6ed0d01eb658560633eac613628eac19b8 Mon Sep 17 00:00:00 2001 From: masamallow <77992722+masamallow@users.noreply.github.com> Date: Tue, 25 Mar 2025 20:02:02 +0900 Subject: [PATCH 8/9] Remove non-existent permission: workflows --- .github/workflows/pinact.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/pinact.yml b/.github/workflows/pinact.yml index 8ab34fa..b042f7a 100644 --- a/.github/workflows/pinact.yml +++ b/.github/workflows/pinact.yml @@ -12,7 +12,6 @@ jobs: runs-on: ubuntu-24.04 permissions: contents: write - workflows: write steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 From 4d3ae751eb09f6775ae71c0141df9198ce2b1b26 Mon Sep 17 00:00:00 2001 From: masamallow <77992722+masamallow@users.noreply.github.com> Date: Wed, 26 Mar 2025 21:26:06 +0900 Subject: [PATCH 9/9] Remove empty permissions from workflow --- .github/workflows/pinact.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pinact.yml b/.github/workflows/pinact.yml index b042f7a..7a242b6 100644 --- a/.github/workflows/pinact.yml +++ b/.github/workflows/pinact.yml @@ -5,8 +5,6 @@ on: branches: - main -permissions: { } - jobs: pinact: runs-on: ubuntu-24.04