Skip to content

Commit c12a6b4

Browse files
mcsprmcspr
authored
Github Actions updates and setup dependabot (#8624)
* github: actions/checkout v2 -> v3 * github: actions/cache v2 -> v3 * github: actions/setup-python v2 -> v4 * github: dependabot for actions * github: 'restricted' mode for token permissions noticed at https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions whenever external action uses our token, overall workflow 'permissions:' apply https://docs.github.com/en/actions/security-guides/automatic-token-authentication https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token ref. apps documentation to understand which permissions API endpoints need https://docs.github.com/en/rest/overview/permissions-required-for-github-apps * missed tag-to-draft action
1 parent 601da8e commit c12a6b4

File tree

4 files changed

+47
-29
lines changed

4 files changed

+47
-29
lines changed

Diff for: .github/dependabot.yml

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# see https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
2+
# make sure our actions stay up-to-date and we know about any updates.
3+
# most of the time, this happens for major releases.
4+
# (...unless we stop using version tags and switch to hashes...)
5+
6+
version: 2
7+
updates:
8+
- package-ecosystem: "github-actions"
9+
directory: "/"
10+
schedule:
11+
interval: "weekly"

Diff for: .github/workflows/pull-request.yml

+30-26
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@ on:
99
pull_request:
1010

1111

12+
permissions:
13+
contents: read
14+
15+
1216
jobs:
1317

1418
# Run 8 parallel jobs for the default build of all examples.
@@ -22,15 +26,15 @@ jobs:
2226
matrix:
2327
chunk: [0, 1, 2, 3, 4, 5, 6, 7]
2428
steps:
25-
- uses: actions/checkout@v2
29+
- uses: actions/checkout@v3
2630
with:
2731
submodules: true
28-
- uses: actions/setup-python@v2
32+
- uses: actions/setup-python@v4
2933
with:
3034
python-version: '3.x'
3135
- name: Cache Linux toolchain
3236
id: cache-linux
33-
uses: actions/cache@v2
37+
uses: actions/cache@v3
3438
with:
3539
path: ./tools/dist
3640
key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }}
@@ -57,15 +61,15 @@ jobs:
5761
matrix:
5862
chunk: [0, 1, 2, 3, 4, 5, 6, 7]
5963
steps:
60-
- uses: actions/checkout@v2
64+
- uses: actions/checkout@v3
6165
with:
6266
submodules: true
63-
- uses: actions/setup-python@v2
67+
- uses: actions/setup-python@v4
6468
with:
6569
python-version: '3.x'
6670
- name: Cache Linux toolchain
6771
id: cache-linux
68-
uses: actions/cache@v2
72+
uses: actions/cache@v3
6973
with:
7074
path: ./tools/dist
7175
key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }}
@@ -85,15 +89,15 @@ jobs:
8589
name: Windows
8690
runs-on: windows-latest
8791
steps:
88-
- uses: actions/checkout@v2
92+
- uses: actions/checkout@v3
8993
with:
9094
submodules: true
91-
- uses: actions/setup-python@v2
95+
- uses: actions/setup-python@v4
9296
with:
9397
python-version: '3.x'
9498
- name: Cache Windows toolchain
9599
id: cache-windows
96-
uses: actions/cache@v2
100+
uses: actions/cache@v3
97101
with:
98102
path: ./tools/dist
99103
key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }}
@@ -120,15 +124,15 @@ jobs:
120124
run:
121125
shell: bash
122126
steps:
123-
- uses: actions/checkout@v2
127+
- uses: actions/checkout@v3
124128
with:
125129
submodules: true
126-
- uses: actions/setup-python@v2
130+
- uses: actions/setup-python@v4
127131
with:
128132
python-version: '3.x'
129133
- name: Cache Mac toolchain
130134
id: cache-mac
131-
uses: actions/cache@v2
135+
uses: actions/cache@v3
132136
with:
133137
path: ./tools/dist
134138
key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }}
@@ -152,10 +156,10 @@ jobs:
152156
run:
153157
shell: bash
154158
steps:
155-
- uses: actions/checkout@v2
159+
- uses: actions/checkout@v3
156160
with:
157161
submodules: true
158-
- uses: actions/setup-python@v2
162+
- uses: actions/setup-python@v4
159163
with:
160164
python-version: '3.x'
161165
- name: Build subset on Platform.IO
@@ -179,10 +183,10 @@ jobs:
179183
run:
180184
shell: bash
181185
steps:
182-
- uses: actions/checkout@v2
186+
- uses: actions/checkout@v3
183187
with:
184188
submodules: true
185-
- uses: actions/setup-python@v2
189+
- uses: actions/setup-python@v4
186190
with:
187191
python-version: '3.x'
188192
- name: Run host tests
@@ -203,10 +207,10 @@ jobs:
203207
run:
204208
shell: bash
205209
steps:
206-
- uses: actions/checkout@v2
210+
- uses: actions/checkout@v3
207211
with:
208212
submodules: true
209-
- uses: actions/setup-python@v2
213+
- uses: actions/setup-python@v4
210214
with:
211215
python-version: '3.x'
212216
- name: Build documentation
@@ -230,10 +234,10 @@ jobs:
230234
run:
231235
shell: bash
232236
steps:
233-
- uses: actions/checkout@v2
237+
- uses: actions/checkout@v3
234238
with:
235239
submodules: true
236-
- uses: actions/setup-python@v2
240+
- uses: actions/setup-python@v4
237241
with:
238242
python-version: '3.x'
239243
- name: Style check
@@ -264,10 +268,10 @@ jobs:
264268
run:
265269
shell: bash
266270
steps:
267-
- uses: actions/checkout@v2
271+
- uses: actions/checkout@v3
268272
with:
269273
submodules: true
270-
- uses: actions/setup-python@v2
274+
- uses: actions/setup-python@v4
271275
with:
272276
python-version: '3.x'
273277
- name: Mock build
@@ -286,15 +290,15 @@ jobs:
286290
run:
287291
shell: bash
288292
steps:
289-
- uses: actions/checkout@v2
293+
- uses: actions/checkout@v3
290294
with:
291295
submodules: true
292-
- uses: actions/setup-python@v2
296+
- uses: actions/setup-python@v4
293297
with:
294298
python-version: '3.x'
295299
- name: Cache Linux toolchain
296300
id: cache-linux
297-
uses: actions/cache@v2
301+
uses: actions/cache@v3
298302
with:
299303
path: ./tools/dist
300304
key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }}
@@ -316,7 +320,7 @@ jobs:
316320
run:
317321
shell: bash
318322
steps:
319-
- uses: actions/checkout@v2
323+
- uses: actions/checkout@v3
320324
with:
321325
submodules: true
322326
- name: Run codespell

Diff for: .github/workflows/release-to-publish.yml

+4-1
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,9 @@ on:
2828
release:
2929
types: [published]
3030

31+
permissions:
32+
contents: read
33+
3134
jobs:
3235
package:
3336
name: Update master JSON file
@@ -36,7 +39,7 @@ jobs:
3639
run:
3740
shell: bash
3841
steps:
39-
- uses: actions/checkout@v2
42+
- uses: actions/checkout@v3
4043
with:
4144
submodules: false
4245
fetch-depth: 0

Diff for: .github/workflows/tag-to-draft-release.yml

+2-2
Original file line numberDiff line numberDiff line change
@@ -18,11 +18,11 @@ jobs:
1818
run:
1919
shell: bash
2020
steps:
21-
- uses: actions/checkout@v2
21+
- uses: actions/checkout@v3
2222
with:
2323
submodules: true
2424
fetch-depth: 0
25-
- uses: actions/setup-python@v2
25+
- uses: actions/setup-python@v4
2626
with:
2727
python-version: '3.x'
2828
- name: Set GIT tag name

0 commit comments

Comments
 (0)