diff --git a/.github/linters/zizmor.yaml b/.github/linters/zizmor.yaml new file mode 100644 index 0000000..21deccb --- /dev/null +++ b/.github/linters/zizmor.yaml @@ -0,0 +1,9 @@ +rules: + unpinned-uses: + config: + policies: + "*": ref-pin + unpinned-images: + config: + policies: + "*": ref-pin diff --git a/.github/renovate.json b/.github/renovate.json new file mode 100644 index 0000000..ed72ea3 --- /dev/null +++ b/.github/renovate.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "enabledManagers": ["dockerfile", "docker-compose"], + "extends": [ + "config:recommended", + ":disableDependencyDashboard", + "docker:pinDigests" + ] +} diff --git a/.github/workflows/add-labels-standardized.yaml b/.github/workflows/add-labels-standardized.yaml index c7f1c7a..e36297f 100644 --- a/.github/workflows/add-labels-standardized.yaml +++ b/.github/workflows/add-labels-standardized.yaml @@ -6,21 +6,22 @@ on: - opened - reopened -permissions: - issues: write +permissions: {} jobs: add-issue-labels: + permissions: + issues: write secrets: ORG_MEMBERSHIP_TOKEN: ${{ secrets.ORG_MEMBERSHIP_TOKEN }} SENZING_MEMBERS: ${{ secrets.SENZING_MEMBERS }} - uses: senzing-factory/build-resources/.github/workflows/add-labels-to-issue.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/add-labels-to-issue.yaml@v3 slack-notification: needs: [add-issue-labels] if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.add-issue-labels.outputs.job-status) }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.add-issue-labels.outputs.job-status }} diff --git a/.github/workflows/add-to-project-garage-dependabot.yaml b/.github/workflows/add-to-project-garage-dependabot.yaml index f71293e..48f1ad8 100644 --- a/.github/workflows/add-to-project-garage-dependabot.yaml +++ b/.github/workflows/add-to-project-garage-dependabot.yaml @@ -4,14 +4,15 @@ on: pull_request: branches: [main] -permissions: - repository-projects: write +permissions: {} jobs: add-to-project-dependabot: + permissions: + repository-projects: write secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/add-to-project-dependabot.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/add-to-project-dependabot.yaml@v3 with: project: ${{ vars.SENZING_PROJECT_GARAGE }} @@ -20,6 +21,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.add-to-project-dependabot.outputs.job-status) }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.add-to-project-dependabot.outputs.job-status }} diff --git a/.github/workflows/add-to-project-garage.yaml b/.github/workflows/add-to-project-garage.yaml index a8b70f2..e2007a7 100644 --- a/.github/workflows/add-to-project-garage.yaml +++ b/.github/workflows/add-to-project-garage.yaml @@ -6,16 +6,16 @@ on: - opened - reopened -permissions: - repository-projects: write +permissions: {} jobs: add-to-project: + permissions: + repository-projects: write secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/add-to-project.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/add-to-project.yaml@v3 with: - classic: false project-number: ${{ vars.SENZING_PROJECT_GARAGE }} org: ${{ vars.SENZING_GITHUB_ACCOUNT_NAME }} @@ -24,6 +24,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.add-to-project.outputs.job-status) }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.add-to-project.outputs.job-status }} diff --git a/.github/workflows/bearer.yaml b/.github/workflows/bearer.yaml index 0e0e588..963ef14 100644 --- a/.github/workflows/bearer.yaml +++ b/.github/workflows/bearer.yaml @@ -6,15 +6,18 @@ on: pull_request: branches: [main] -permissions: - contents: read +permissions: {} jobs: rule_check: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - name: Bearer uses: bearer/bearer-action@v2 diff --git a/.github/workflows/dependabot-approve-and-merge.yaml b/.github/workflows/dependabot-approve-and-merge.yaml index 1c6ab10..73be7ce 100644 --- a/.github/workflows/dependabot-approve-and-merge.yaml +++ b/.github/workflows/dependabot-approve-and-merge.yaml @@ -4,21 +4,25 @@ on: pull_request: branches: [main] -permissions: - contents: write - pull-requests: write +permissions: {} jobs: dependabot-approve-and-merge-minor: + permissions: + contents: write + pull-requests: write secrets: SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN: ${{ secrets.SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v3 with: update-type: "minor" dependabot-approve-and-merge-patch: + permissions: + contents: write + pull-requests: write secrets: SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN: ${{ secrets.SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v3 with: update-type: "patch" diff --git a/.github/workflows/go-proxy-pull.yaml b/.github/workflows/go-proxy-pull.yaml index d28ef32..d0aba89 100644 --- a/.github/workflows/go-proxy-pull.yaml +++ b/.github/workflows/go-proxy-pull.yaml @@ -5,13 +5,14 @@ on: tags: - "v[0-9]+.[0-9]+.[0-9]+" -permissions: - contents: write +permissions: {} jobs: go-proxy-pull: outputs: status: ${{ job.status }} + permissions: + contents: write runs-on: ubuntu-latest steps: @@ -25,6 +26,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.go-proxy-pull.outputs.status) }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.go-proxy-pull.outputs.status }} diff --git a/.github/workflows/go-test-darwin.yaml b/.github/workflows/go-test-darwin.yaml index 1f5be70..5bb16e5 100644 --- a/.github/workflows/go-test-darwin.yaml +++ b/.github/workflows/go-test-darwin.yaml @@ -11,14 +11,15 @@ env: SENZING_LOG_LEVEL: TRACE SENZING_TOOLS_DATABASE_URL: sqlite3://na:na@nowhere/tmp/sqlite/G2C.db -permissions: - contents: read +permissions: {} jobs: go-test-darwin: name: "Go test with Senzing: ${{ matrix.senzingsdk-version }}; OS: ${{ matrix.os }}; Go: ${{ matrix.go }}" outputs: status: ${{ job.status }} + permissions: + contents: read runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -30,6 +31,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v5 + with: + persist-credentials: false - name: Setup go ${{ matrix.go }} uses: actions/setup-go@v6 @@ -88,7 +91,9 @@ jobs: coverage: name: Coverage needs: go-test-darwin - uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v2 + permissions: + contents: read + uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v3 with: coverage-config: ./.github/coverage/testcoverage.yaml profile: "cover-production-v4.out,cover-staging-v4.out" @@ -98,6 +103,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.go-test-darwin.outputs.status ) && github.event_name == 'schedule' }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.go-test-darwin.outputs.status }} diff --git a/.github/workflows/go-test-linux.yaml b/.github/workflows/go-test-linux.yaml index 341ef39..e46805c 100644 --- a/.github/workflows/go-test-linux.yaml +++ b/.github/workflows/go-test-linux.yaml @@ -11,14 +11,15 @@ env: SENZING_LOG_LEVEL: TRACE SENZING_TOOLS_DATABASE_URL: sqlite3://na:na@nowhere/tmp/sqlite/G2C.db -permissions: - contents: read +permissions: {} jobs: go-test-linux: name: "Go test with Senzing: ${{ matrix.senzingsdk-version }}; OS: ${{ matrix.os }}; Go: ${{ matrix.go }}" outputs: status: ${{ job.status }} + permissions: + contents: read runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -34,13 +35,15 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} env: SENZING_TOOLS_ENABLE_ALL: true - image: senzing/serve-grpc + image: senzing/serve-grpc:0.9.21 ports: - 8261:8261 steps: - name: Checkout repository uses: actions/checkout@v5 + with: + persist-credentials: false - name: Setup go ${{ matrix.go }} uses: actions/setup-go@v6 @@ -96,7 +99,9 @@ jobs: coverage: name: Coverage needs: go-test-linux - uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v2 + permissions: + contents: read + uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v3 with: coverage-config: ./.github/coverage/testcoverage.yaml profile: "cover-production-v4.out,cover-staging-v4.out" @@ -106,6 +111,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.go-test-linux.outputs.status ) && (github.ref_name == github.event.repository.default_branch || github.event_name == 'schedule') }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.go-test-linux.outputs.status && needs.coverage.outputs.job-status }} diff --git a/.github/workflows/go-test-windows.yaml b/.github/workflows/go-test-windows.yaml index 56629dd..5702652 100644 --- a/.github/workflows/go-test-windows.yaml +++ b/.github/workflows/go-test-windows.yaml @@ -11,14 +11,15 @@ env: SENZING_LOG_LEVEL: TRACE SENZING_TOOLS_DATABASE_URL: "sqlite3://na:na@nowhere/C:\\Temp\\sqlite\\G2C.db" -permissions: - contents: read +permissions: {} jobs: go-test-windows: name: "Go test with Senzing: ${{ matrix.senzingsdk-version }}; OS: windows-latest; Go: ${{ matrix.go }}" outputs: status: ${{ job.status }} + permissions: + contents: read runs-on: windows-latest strategy: fail-fast: false @@ -29,6 +30,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v5 + with: + persist-credentials: false - name: Setup go ${{ matrix.go }} uses: actions/setup-go@v6 @@ -83,7 +86,9 @@ jobs: coverage: name: Coverage needs: go-test-windows - uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v2 + permissions: + contents: read + uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v3 with: coverage-config: ./.github/coverage/testcoverage.yaml profile: "cover-production-v4.out,cover-staging-v4.out" @@ -93,6 +98,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.go-test-windows.outputs.status ) && github.event_name == 'schedule' }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.go-test-windows.outputs.status }} diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml index 93190c5..364294e 100644 --- a/.github/workflows/golangci-lint.yaml +++ b/.github/workflows/golangci-lint.yaml @@ -6,15 +6,16 @@ on: pull_request: branches: [main] -permissions: - # Required: allow read access to the content for analysis. - contents: read - # Optional: allow read access to pull request. Use with `only-new-issues` option. - pull-requests: read +permissions: {} jobs: golangci: name: lint + permissions: + # Required: allow read access to the content for analysis. + contents: read + # Optional: allow read access to pull request. Use with `only-new-issues` option. + pull-requests: read runs-on: ubuntu-latest strategy: fail-fast: false @@ -25,6 +26,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v5 + with: + persist-credentials: false - name: Install Senzing SDK uses: senzing-factory/github-action-install-senzing-sdk@v3 diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml index 5614c03..49dd979 100644 --- a/.github/workflows/govulncheck.yaml +++ b/.github/workflows/govulncheck.yaml @@ -6,11 +6,12 @@ on: pull_request: branches: [main] -permissions: - contents: read +permissions: {} jobs: govulncheck: + permissions: + contents: read runs-on: ubuntu-latest strategy: fail-fast: false @@ -21,6 +22,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v5 + with: + persist-credentials: false - name: Setup go uses: actions/setup-go@v6 diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml index e19c3f8..aa62139 100644 --- a/.github/workflows/lint-workflows.yaml +++ b/.github/workflows/lint-workflows.yaml @@ -6,12 +6,13 @@ on: pull_request: branches: [main] -permissions: - contents: read - packages: read - pull-requests: read - statuses: write +permissions: {} jobs: lint-workflows: - uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@v2 + permissions: + contents: read + packages: read + pull-requests: read + statuses: write + uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@v3 diff --git a/.github/workflows/make-go-tag.yaml b/.github/workflows/make-go-tag.yaml index 7a6fbf0..2b5b210 100644 --- a/.github/workflows/make-go-tag.yaml +++ b/.github/workflows/make-go-tag.yaml @@ -5,14 +5,15 @@ on: tags: - "[0-9]+.[0-9]+.[0-9]+" -permissions: - contents: write +permissions: {} jobs: make-go-tag: name: Make a vM.m.P tag outputs: status: ${{ job.status }} + permissions: + contents: write runs-on: ubuntu-latest steps: @@ -34,6 +35,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.make-go-tag.outputs.status ) }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.make-go-tag.outputs.status }} diff --git a/.github/workflows/move-pr-to-done-dependabot.yaml b/.github/workflows/move-pr-to-done-dependabot.yaml index c5e0e87..8094115 100644 --- a/.github/workflows/move-pr-to-done-dependabot.yaml +++ b/.github/workflows/move-pr-to-done-dependabot.yaml @@ -5,13 +5,14 @@ on: branches: [main] types: [closed] -permissions: - repository-projects: write +permissions: {} jobs: move-pr-to-done-dependabot: + permissions: + repository-projects: write secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/move-pr-to-done-dependabot.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/move-pr-to-done-dependabot.yaml@v3 with: project: ${{ vars.SENZING_PROJECT_GARAGE }} diff --git a/.github/workflows/spellcheck.yaml b/.github/workflows/spellcheck.yaml index bdd3f9d..8e8f35b 100644 --- a/.github/workflows/spellcheck.yaml +++ b/.github/workflows/spellcheck.yaml @@ -4,15 +4,18 @@ on: pull_request: branches: [main] -permissions: - contents: read +permissions: {} jobs: spellcheck: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: streetsidesoftware/cspell-action@v7 with: