Add permissions to publish action (#13)

b0bcarlson · web-flow · commit d13a21b95b74 · 2025-03-14T17:55:36.000Z
* Add permissions to publish action Closes https://github.com/b0bcarlson/bobcodes.net/security/code-scanning/1 * Pin terraform to 1.11.1; Pin digitalocean provider Ref hashicorp/terraform#36704
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,6 +4,9 @@ on:
     branches:
       - main
   workflow_dispatch:
+permissions:
+  pull-requests: write
+  contents: read
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -18,6 +21,8 @@ jobs:
         uses: actions/checkout@v4.2.2
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3.1.2
+        with:
+          terraform_version: "1.11.1"
       - name: Init Terraform
         working-directory: terraform
         run: terraform init -input=false
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -20,6 +20,8 @@ jobs:
         uses: actions/checkout@v4.2.2
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3.1.2
+        with:
+          terraform_version: "1.11.1"
       - name: Init Terraform
         working-directory: terraform
         run: terraform init -input=false
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     digitalocean = {
       source  = "digitalocean/digitalocean"
-      version = "~> 2.0"
+      version = "2.49.1"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ terraform {`
`2`	`2`	`required_providers {`
`3`	`3`	`digitalocean = {`
`4`	`4`	`source = "digitalocean/digitalocean"`
`5`		`- version = "~> 2.0"`
	`5`	`+ version = "2.49.1"`
`6`	`6`	`}`
`7`	`7`	`}`
`8`	`8`	`}`