diff --git a/.github/workflows/check_license.yml b/.github/workflows/check_license.yml index 2ae3dabb4..0f328f910 100644 --- a/.github/workflows/check_license.yml +++ b/.github/workflows/check_license.yml @@ -20,16 +20,21 @@ on: - main pull_request: +permissions: + contents: read + jobs: check-license: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: '1.21' diff --git a/.github/workflows/check_private_index.yml b/.github/workflows/check_private_index.yml index 2061d2b19..45a76c25f 100644 --- a/.github/workflows/check_private_index.yml +++ b/.github/workflows/check_private_index.yml @@ -18,12 +18,17 @@ on: push: pull_request: +permissions: + contents: read + jobs: check-for-private-index: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Search for private index URL in uv.lock files run: | FORBIDDEN_URL="us-python.pkg.dev" diff --git a/.github/workflows/composer_build_and_test.yml b/.github/workflows/composer_build_and_test.yml index 54b4413b7..ad1e04699 100644 --- a/.github/workflows/composer_build_and_test.yml +++ b/.github/workflows/composer_build_and_test.yml @@ -24,20 +24,25 @@ on: - 'tools/composer/**' - '.github/workflows/composer_build_and_test.yml' +permissions: + contents: read + jobs: build-and-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4 with: version: 10 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' cache: 'pnpm' diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 98aee926e..5cef30cdc 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -32,6 +32,9 @@ on: - "mkdocs.yml" - "docs/**" +permissions: + contents: read + jobs: build_and_deploy: runs-on: ubuntu-latest @@ -43,7 +46,7 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ secrets.GITHUB_TOKEN }} fetch-depth: 0 @@ -54,12 +57,12 @@ jobs: git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: 3.13 - name: Restore pip cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements-docs.txt') }} path: ~/.cache/pip diff --git a/.github/workflows/editor_build.yml b/.github/workflows/editor_build.yml index b60309ff5..468a35912 100644 --- a/.github/workflows/editor_build.yml +++ b/.github/workflows/editor_build.yml @@ -28,15 +28,20 @@ on: - 'renderers/web_core/**' - '.github/workflows/editor_build.yml' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' diff --git a/.github/workflows/inspector_build.yml b/.github/workflows/inspector_build.yml index e15e22cdd..7d2adf7e3 100644 --- a/.github/workflows/inspector_build.yml +++ b/.github/workflows/inspector_build.yml @@ -29,15 +29,20 @@ on: - 'renderers/web_core/**' - '.github/workflows/inspector_build.yml' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' diff --git a/.github/workflows/java_build_and_test.yml b/.github/workflows/java_build_and_test.yml index ba55bbdb6..d843b9bb6 100644 --- a/.github/workflows/java_build_and_test.yml +++ b/.github/workflows/java_build_and_test.yml @@ -26,6 +26,9 @@ on: - 'agent_sdks/java/**' - 'specification/**/json/**' +permissions: + contents: read + jobs: build-and-test: name: Build and test Java agent sample @@ -33,10 +36,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up JDK - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: '21' distribution: 'temurin' diff --git a/.github/workflows/lit_build_and_test.yml b/.github/workflows/lit_build_and_test.yml index 1f9b34fc1..48f07cad5 100644 --- a/.github/workflows/lit_build_and_test.yml +++ b/.github/workflows/lit_build_and_test.yml @@ -27,15 +27,20 @@ on: - 'renderers/web_core/**' - '.github/workflows/lit_build_and_test.yml' +permissions: + contents: read + jobs: build-and-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' diff --git a/.github/workflows/lit_samples_build.yml b/.github/workflows/lit_samples_build.yml index b46557c9a..dfd9936dd 100644 --- a/.github/workflows/lit_samples_build.yml +++ b/.github/workflows/lit_samples_build.yml @@ -23,15 +23,20 @@ on: paths-ignore: - 'samples/agent/adk/**' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' diff --git a/.github/workflows/ng_build_and_test.yml b/.github/workflows/ng_build_and_test.yml index 98ff508cb..93864b886 100644 --- a/.github/workflows/ng_build_and_test.yml +++ b/.github/workflows/ng_build_and_test.yml @@ -23,15 +23,20 @@ on: paths-ignore: - 'samples/agent/adk/**' +permissions: + contents: read + jobs: build-and-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' diff --git a/.github/workflows/python_agent_sdk_build_and_test.yml b/.github/workflows/python_agent_sdk_build_and_test.yml index e2d57f3d1..091e355f8 100644 --- a/.github/workflows/python_agent_sdk_build_and_test.yml +++ b/.github/workflows/python_agent_sdk_build_and_test.yml @@ -26,16 +26,21 @@ on: - 'agent_sdks/python/**' - 'specification/**/json/**' +permissions: + contents: read + jobs: build-and-test: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.x' diff --git a/.github/workflows/python_samples_build.yml b/.github/workflows/python_samples_build.yml index ac0fc330b..e871594ce 100644 --- a/.github/workflows/python_samples_build.yml +++ b/.github/workflows/python_samples_build.yml @@ -28,6 +28,9 @@ on: - 'agent_sdks/python/**' - 'specification/**/json/**' +permissions: + contents: read + jobs: build: name: Build samples @@ -35,10 +38,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.x' diff --git a/.github/workflows/react_renderer.yml b/.github/workflows/react_renderer.yml index 50323d3b7..f5889d431 100644 --- a/.github/workflows/react_renderer.yml +++ b/.github/workflows/react_renderer.yml @@ -29,15 +29,20 @@ on: - 'renderers/lit/**' - 'samples/agent/adk/**' +permissions: + contents: read + jobs: build-and-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' @@ -63,10 +68,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' @@ -92,10 +99,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' diff --git a/.github/workflows/validate_specifications.yml b/.github/workflows/validate_specifications.yml index 258c84be6..a9212b6d3 100644 --- a/.github/workflows/validate_specifications.yml +++ b/.github/workflows/validate_specifications.yml @@ -27,25 +27,30 @@ on: - '.github/workflows/validate_specifications.yml' - 'specification/scripts/validate.py' +permissions: + contents: read + jobs: validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4 with: version: 10 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.12' diff --git a/.github/workflows/web_build_and_test.yml b/.github/workflows/web_build_and_test.yml index d80edfd80..f6346f6ce 100644 --- a/.github/workflows/web_build_and_test.yml +++ b/.github/workflows/web_build_and_test.yml @@ -25,15 +25,20 @@ on: - 'renderers/web_core/**/*' - '.github/workflows/web_build_and_test.yml' +permissions: + contents: read + jobs: build-and-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20' @@ -50,10 +55,12 @@ jobs: run: npm run test lint: steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '20'