From c00c2e0d9b9651306b48399a4fdaaee961d3e79e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Sep 2025 11:07:03 +0000 Subject: [PATCH 1/8] Bump senzing-factory/build-resources from 2 to 3 Bumps [senzing-factory/build-resources](https://github.com/senzing-factory/build-resources) from 2 to 3. - [Release notes](https://github.com/senzing-factory/build-resources/releases) - [Changelog](https://github.com/senzing-factory/build-resources/blob/main/CHANGELOG.md) - [Commits](https://github.com/senzing-factory/build-resources/compare/v2...v3) --- updated-dependencies: - dependency-name: senzing-factory/build-resources dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/add-labels-standardized.yaml | 4 ++-- .github/workflows/add-to-project-garage-dependabot.yaml | 4 ++-- .github/workflows/add-to-project-garage.yaml | 4 ++-- .github/workflows/dependabot-approve-and-merge.yaml | 4 ++-- .github/workflows/go-proxy-pull.yaml | 2 +- .github/workflows/go-test-darwin.yaml | 4 ++-- .github/workflows/go-test-linux.yaml | 4 ++-- .github/workflows/go-test-windows.yaml | 4 ++-- .github/workflows/lint-workflows.yaml | 2 +- .github/workflows/make-go-tag.yaml | 2 +- .github/workflows/move-pr-to-done-dependabot.yaml | 2 +- 11 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/add-labels-standardized.yaml b/.github/workflows/add-labels-standardized.yaml index c7f1c7a..e77d462 100644 --- a/.github/workflows/add-labels-standardized.yaml +++ b/.github/workflows/add-labels-standardized.yaml @@ -14,13 +14,13 @@ jobs: secrets: ORG_MEMBERSHIP_TOKEN: ${{ secrets.ORG_MEMBERSHIP_TOKEN }} SENZING_MEMBERS: ${{ secrets.SENZING_MEMBERS }} - uses: senzing-factory/build-resources/.github/workflows/add-labels-to-issue.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/add-labels-to-issue.yaml@v3 slack-notification: needs: [add-issue-labels] if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.add-issue-labels.outputs.job-status) }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.add-issue-labels.outputs.job-status }} diff --git a/.github/workflows/add-to-project-garage-dependabot.yaml b/.github/workflows/add-to-project-garage-dependabot.yaml index f71293e..b39fd6c 100644 --- a/.github/workflows/add-to-project-garage-dependabot.yaml +++ b/.github/workflows/add-to-project-garage-dependabot.yaml @@ -11,7 +11,7 @@ jobs: add-to-project-dependabot: secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/add-to-project-dependabot.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/add-to-project-dependabot.yaml@v3 with: project: ${{ vars.SENZING_PROJECT_GARAGE }} @@ -20,6 +20,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.add-to-project-dependabot.outputs.job-status) }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.add-to-project-dependabot.outputs.job-status }} diff --git a/.github/workflows/add-to-project-garage.yaml b/.github/workflows/add-to-project-garage.yaml index a8b70f2..cc8322c 100644 --- a/.github/workflows/add-to-project-garage.yaml +++ b/.github/workflows/add-to-project-garage.yaml @@ -13,7 +13,7 @@ jobs: add-to-project: secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/add-to-project.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/add-to-project.yaml@v3 with: classic: false project-number: ${{ vars.SENZING_PROJECT_GARAGE }} @@ -24,6 +24,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.add-to-project.outputs.job-status) }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.add-to-project.outputs.job-status }} diff --git a/.github/workflows/dependabot-approve-and-merge.yaml b/.github/workflows/dependabot-approve-and-merge.yaml index 1c6ab10..f7b28a2 100644 --- a/.github/workflows/dependabot-approve-and-merge.yaml +++ b/.github/workflows/dependabot-approve-and-merge.yaml @@ -12,13 +12,13 @@ jobs: dependabot-approve-and-merge-minor: secrets: SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN: ${{ secrets.SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v3 with: update-type: "minor" dependabot-approve-and-merge-patch: secrets: SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN: ${{ secrets.SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v3 with: update-type: "patch" diff --git a/.github/workflows/go-proxy-pull.yaml b/.github/workflows/go-proxy-pull.yaml index d28ef32..f1872a9 100644 --- a/.github/workflows/go-proxy-pull.yaml +++ b/.github/workflows/go-proxy-pull.yaml @@ -25,6 +25,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.go-proxy-pull.outputs.status) }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.go-proxy-pull.outputs.status }} diff --git a/.github/workflows/go-test-darwin.yaml b/.github/workflows/go-test-darwin.yaml index 1f5be70..2af637c 100644 --- a/.github/workflows/go-test-darwin.yaml +++ b/.github/workflows/go-test-darwin.yaml @@ -88,7 +88,7 @@ jobs: coverage: name: Coverage needs: go-test-darwin - uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v3 with: coverage-config: ./.github/coverage/testcoverage.yaml profile: "cover-production-v4.out,cover-staging-v4.out" @@ -98,6 +98,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.go-test-darwin.outputs.status ) && github.event_name == 'schedule' }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.go-test-darwin.outputs.status }} diff --git a/.github/workflows/go-test-linux.yaml b/.github/workflows/go-test-linux.yaml index 341ef39..3eb5b24 100644 --- a/.github/workflows/go-test-linux.yaml +++ b/.github/workflows/go-test-linux.yaml @@ -96,7 +96,7 @@ jobs: coverage: name: Coverage needs: go-test-linux - uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v3 with: coverage-config: ./.github/coverage/testcoverage.yaml profile: "cover-production-v4.out,cover-staging-v4.out" @@ -106,6 +106,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.go-test-linux.outputs.status ) && (github.ref_name == github.event.repository.default_branch || github.event_name == 'schedule') }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.go-test-linux.outputs.status && needs.coverage.outputs.job-status }} diff --git a/.github/workflows/go-test-windows.yaml b/.github/workflows/go-test-windows.yaml index 56629dd..8bbe855 100644 --- a/.github/workflows/go-test-windows.yaml +++ b/.github/workflows/go-test-windows.yaml @@ -83,7 +83,7 @@ jobs: coverage: name: Coverage needs: go-test-windows - uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v3 with: coverage-config: ./.github/coverage/testcoverage.yaml profile: "cover-production-v4.out,cover-staging-v4.out" @@ -93,6 +93,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.go-test-windows.outputs.status ) && github.event_name == 'schedule' }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.go-test-windows.outputs.status }} diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml index e19c3f8..b7f3fdf 100644 --- a/.github/workflows/lint-workflows.yaml +++ b/.github/workflows/lint-workflows.yaml @@ -14,4 +14,4 @@ permissions: jobs: lint-workflows: - uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@v3 diff --git a/.github/workflows/make-go-tag.yaml b/.github/workflows/make-go-tag.yaml index 7a6fbf0..bba109d 100644 --- a/.github/workflows/make-go-tag.yaml +++ b/.github/workflows/make-go-tag.yaml @@ -34,6 +34,6 @@ jobs: if: ${{ always() && contains(fromJSON('["failure", "cancelled"]'), needs.make-go-tag.outputs.status ) }} secrets: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/build-failure-slack-notification.yaml@v3 with: job-status: ${{ needs.make-go-tag.outputs.status }} diff --git a/.github/workflows/move-pr-to-done-dependabot.yaml b/.github/workflows/move-pr-to-done-dependabot.yaml index c5e0e87..af63c7f 100644 --- a/.github/workflows/move-pr-to-done-dependabot.yaml +++ b/.github/workflows/move-pr-to-done-dependabot.yaml @@ -12,6 +12,6 @@ jobs: move-pr-to-done-dependabot: secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} - uses: senzing-factory/build-resources/.github/workflows/move-pr-to-done-dependabot.yaml@v2 + uses: senzing-factory/build-resources/.github/workflows/move-pr-to-done-dependabot.yaml@v3 with: project: ${{ vars.SENZING_PROJECT_GARAGE }} From 8074f4a2b5fe5735bc102b68e793eb171be7f68e Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Thu, 2 Oct 2025 09:39:06 -0700 Subject: [PATCH 2/8] update linting --- .github/linters/zizmor.yaml | 5 +++++ .github/workflows/add-labels-standardized.yaml | 5 +++-- .../workflows/add-to-project-garage-dependabot.yaml | 5 +++-- .github/workflows/add-to-project-garage.yaml | 6 +++--- .github/workflows/bearer.yaml | 7 +++++-- .github/workflows/dependabot-approve-and-merge.yaml | 10 +++++++--- .github/workflows/go-proxy-pull.yaml | 5 +++-- .github/workflows/go-test-darwin.yaml | 9 +++++++-- .github/workflows/go-test-linux.yaml | 9 +++++++-- .github/workflows/go-test-windows.yaml | 9 +++++++-- .github/workflows/golangci-lint.yaml | 13 ++++++++----- .github/workflows/govulncheck.yaml | 7 +++++-- .github/workflows/lint-workflows.yaml | 11 ++++++----- .github/workflows/make-go-tag.yaml | 5 +++-- .github/workflows/move-pr-to-done-dependabot.yaml | 5 +++-- .github/workflows/spellcheck.yaml | 7 +++++-- 16 files changed, 80 insertions(+), 38 deletions(-) create mode 100644 .github/linters/zizmor.yaml diff --git a/.github/linters/zizmor.yaml b/.github/linters/zizmor.yaml new file mode 100644 index 0000000..00ea2bb --- /dev/null +++ b/.github/linters/zizmor.yaml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + "*": ref-pin diff --git a/.github/workflows/add-labels-standardized.yaml b/.github/workflows/add-labels-standardized.yaml index e77d462..e36297f 100644 --- a/.github/workflows/add-labels-standardized.yaml +++ b/.github/workflows/add-labels-standardized.yaml @@ -6,11 +6,12 @@ on: - opened - reopened -permissions: - issues: write +permissions: {} jobs: add-issue-labels: + permissions: + issues: write secrets: ORG_MEMBERSHIP_TOKEN: ${{ secrets.ORG_MEMBERSHIP_TOKEN }} SENZING_MEMBERS: ${{ secrets.SENZING_MEMBERS }} diff --git a/.github/workflows/add-to-project-garage-dependabot.yaml b/.github/workflows/add-to-project-garage-dependabot.yaml index b39fd6c..48f1ad8 100644 --- a/.github/workflows/add-to-project-garage-dependabot.yaml +++ b/.github/workflows/add-to-project-garage-dependabot.yaml @@ -4,11 +4,12 @@ on: pull_request: branches: [main] -permissions: - repository-projects: write +permissions: {} jobs: add-to-project-dependabot: + permissions: + repository-projects: write secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} uses: senzing-factory/build-resources/.github/workflows/add-to-project-dependabot.yaml@v3 diff --git a/.github/workflows/add-to-project-garage.yaml b/.github/workflows/add-to-project-garage.yaml index cc8322c..e2007a7 100644 --- a/.github/workflows/add-to-project-garage.yaml +++ b/.github/workflows/add-to-project-garage.yaml @@ -6,16 +6,16 @@ on: - opened - reopened -permissions: - repository-projects: write +permissions: {} jobs: add-to-project: + permissions: + repository-projects: write secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} uses: senzing-factory/build-resources/.github/workflows/add-to-project.yaml@v3 with: - classic: false project-number: ${{ vars.SENZING_PROJECT_GARAGE }} org: ${{ vars.SENZING_GITHUB_ACCOUNT_NAME }} diff --git a/.github/workflows/bearer.yaml b/.github/workflows/bearer.yaml index 0e0e588..963ef14 100644 --- a/.github/workflows/bearer.yaml +++ b/.github/workflows/bearer.yaml @@ -6,15 +6,18 @@ on: pull_request: branches: [main] -permissions: - contents: read +permissions: {} jobs: rule_check: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - name: Bearer uses: bearer/bearer-action@v2 diff --git a/.github/workflows/dependabot-approve-and-merge.yaml b/.github/workflows/dependabot-approve-and-merge.yaml index f7b28a2..73be7ce 100644 --- a/.github/workflows/dependabot-approve-and-merge.yaml +++ b/.github/workflows/dependabot-approve-and-merge.yaml @@ -4,12 +4,13 @@ on: pull_request: branches: [main] -permissions: - contents: write - pull-requests: write +permissions: {} jobs: dependabot-approve-and-merge-minor: + permissions: + contents: write + pull-requests: write secrets: SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN: ${{ secrets.SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN }} uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v3 @@ -17,6 +18,9 @@ jobs: update-type: "minor" dependabot-approve-and-merge-patch: + permissions: + contents: write + pull-requests: write secrets: SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN: ${{ secrets.SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN }} uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v3 diff --git a/.github/workflows/go-proxy-pull.yaml b/.github/workflows/go-proxy-pull.yaml index f1872a9..d0aba89 100644 --- a/.github/workflows/go-proxy-pull.yaml +++ b/.github/workflows/go-proxy-pull.yaml @@ -5,13 +5,14 @@ on: tags: - "v[0-9]+.[0-9]+.[0-9]+" -permissions: - contents: write +permissions: {} jobs: go-proxy-pull: outputs: status: ${{ job.status }} + permissions: + contents: write runs-on: ubuntu-latest steps: diff --git a/.github/workflows/go-test-darwin.yaml b/.github/workflows/go-test-darwin.yaml index 2af637c..5bb16e5 100644 --- a/.github/workflows/go-test-darwin.yaml +++ b/.github/workflows/go-test-darwin.yaml @@ -11,14 +11,15 @@ env: SENZING_LOG_LEVEL: TRACE SENZING_TOOLS_DATABASE_URL: sqlite3://na:na@nowhere/tmp/sqlite/G2C.db -permissions: - contents: read +permissions: {} jobs: go-test-darwin: name: "Go test with Senzing: ${{ matrix.senzingsdk-version }}; OS: ${{ matrix.os }}; Go: ${{ matrix.go }}" outputs: status: ${{ job.status }} + permissions: + contents: read runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -30,6 +31,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v5 + with: + persist-credentials: false - name: Setup go ${{ matrix.go }} uses: actions/setup-go@v6 @@ -88,6 +91,8 @@ jobs: coverage: name: Coverage needs: go-test-darwin + permissions: + contents: read uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v3 with: coverage-config: ./.github/coverage/testcoverage.yaml diff --git a/.github/workflows/go-test-linux.yaml b/.github/workflows/go-test-linux.yaml index 3eb5b24..bf511ab 100644 --- a/.github/workflows/go-test-linux.yaml +++ b/.github/workflows/go-test-linux.yaml @@ -11,14 +11,15 @@ env: SENZING_LOG_LEVEL: TRACE SENZING_TOOLS_DATABASE_URL: sqlite3://na:na@nowhere/tmp/sqlite/G2C.db -permissions: - contents: read +permissions: {} jobs: go-test-linux: name: "Go test with Senzing: ${{ matrix.senzingsdk-version }}; OS: ${{ matrix.os }}; Go: ${{ matrix.go }}" outputs: status: ${{ job.status }} + permissions: + contents: read runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -41,6 +42,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v5 + with: + persist-credentials: false - name: Setup go ${{ matrix.go }} uses: actions/setup-go@v6 @@ -96,6 +99,8 @@ jobs: coverage: name: Coverage needs: go-test-linux + permissions: + contents: read uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v3 with: coverage-config: ./.github/coverage/testcoverage.yaml diff --git a/.github/workflows/go-test-windows.yaml b/.github/workflows/go-test-windows.yaml index 8bbe855..5702652 100644 --- a/.github/workflows/go-test-windows.yaml +++ b/.github/workflows/go-test-windows.yaml @@ -11,14 +11,15 @@ env: SENZING_LOG_LEVEL: TRACE SENZING_TOOLS_DATABASE_URL: "sqlite3://na:na@nowhere/C:\\Temp\\sqlite\\G2C.db" -permissions: - contents: read +permissions: {} jobs: go-test-windows: name: "Go test with Senzing: ${{ matrix.senzingsdk-version }}; OS: windows-latest; Go: ${{ matrix.go }}" outputs: status: ${{ job.status }} + permissions: + contents: read runs-on: windows-latest strategy: fail-fast: false @@ -29,6 +30,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v5 + with: + persist-credentials: false - name: Setup go ${{ matrix.go }} uses: actions/setup-go@v6 @@ -83,6 +86,8 @@ jobs: coverage: name: Coverage needs: go-test-windows + permissions: + contents: read uses: senzing-factory/build-resources/.github/workflows/go-coverage.yaml@v3 with: coverage-config: ./.github/coverage/testcoverage.yaml diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml index 93190c5..364294e 100644 --- a/.github/workflows/golangci-lint.yaml +++ b/.github/workflows/golangci-lint.yaml @@ -6,15 +6,16 @@ on: pull_request: branches: [main] -permissions: - # Required: allow read access to the content for analysis. - contents: read - # Optional: allow read access to pull request. Use with `only-new-issues` option. - pull-requests: read +permissions: {} jobs: golangci: name: lint + permissions: + # Required: allow read access to the content for analysis. + contents: read + # Optional: allow read access to pull request. Use with `only-new-issues` option. + pull-requests: read runs-on: ubuntu-latest strategy: fail-fast: false @@ -25,6 +26,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v5 + with: + persist-credentials: false - name: Install Senzing SDK uses: senzing-factory/github-action-install-senzing-sdk@v3 diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml index 5614c03..49dd979 100644 --- a/.github/workflows/govulncheck.yaml +++ b/.github/workflows/govulncheck.yaml @@ -6,11 +6,12 @@ on: pull_request: branches: [main] -permissions: - contents: read +permissions: {} jobs: govulncheck: + permissions: + contents: read runs-on: ubuntu-latest strategy: fail-fast: false @@ -21,6 +22,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v5 + with: + persist-credentials: false - name: Setup go uses: actions/setup-go@v6 diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml index b7f3fdf..aa62139 100644 --- a/.github/workflows/lint-workflows.yaml +++ b/.github/workflows/lint-workflows.yaml @@ -6,12 +6,13 @@ on: pull_request: branches: [main] -permissions: - contents: read - packages: read - pull-requests: read - statuses: write +permissions: {} jobs: lint-workflows: + permissions: + contents: read + packages: read + pull-requests: read + statuses: write uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@v3 diff --git a/.github/workflows/make-go-tag.yaml b/.github/workflows/make-go-tag.yaml index bba109d..2b5b210 100644 --- a/.github/workflows/make-go-tag.yaml +++ b/.github/workflows/make-go-tag.yaml @@ -5,14 +5,15 @@ on: tags: - "[0-9]+.[0-9]+.[0-9]+" -permissions: - contents: write +permissions: {} jobs: make-go-tag: name: Make a vM.m.P tag outputs: status: ${{ job.status }} + permissions: + contents: write runs-on: ubuntu-latest steps: diff --git a/.github/workflows/move-pr-to-done-dependabot.yaml b/.github/workflows/move-pr-to-done-dependabot.yaml index af63c7f..8094115 100644 --- a/.github/workflows/move-pr-to-done-dependabot.yaml +++ b/.github/workflows/move-pr-to-done-dependabot.yaml @@ -5,11 +5,12 @@ on: branches: [main] types: [closed] -permissions: - repository-projects: write +permissions: {} jobs: move-pr-to-done-dependabot: + permissions: + repository-projects: write secrets: SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }} uses: senzing-factory/build-resources/.github/workflows/move-pr-to-done-dependabot.yaml@v3 diff --git a/.github/workflows/spellcheck.yaml b/.github/workflows/spellcheck.yaml index bdd3f9d..8e8f35b 100644 --- a/.github/workflows/spellcheck.yaml +++ b/.github/workflows/spellcheck.yaml @@ -4,15 +4,18 @@ on: pull_request: branches: [main] -permissions: - contents: read +permissions: {} jobs: spellcheck: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: streetsidesoftware/cspell-action@v7 with: From 781597484f9f4201a90c7da5918f791d1644223c Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Thu, 2 Oct 2025 09:43:19 -0700 Subject: [PATCH 3/8] update linting --- .github/linters/zizmor.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/linters/zizmor.yaml b/.github/linters/zizmor.yaml index 00ea2bb..21deccb 100644 --- a/.github/linters/zizmor.yaml +++ b/.github/linters/zizmor.yaml @@ -3,3 +3,7 @@ rules: config: policies: "*": ref-pin + unpinned-images: + config: + policies: + "*": ref-pin From 24e858ce5ff9da917f230871eba65fca4e80043f Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Wed, 8 Oct 2025 15:37:57 -0700 Subject: [PATCH 4/8] update linting --- .github/renovate.json | 9 +++++++++ .github/workflows/go-test-linux.yaml | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 .github/renovate.json diff --git a/.github/renovate.json b/.github/renovate.json new file mode 100644 index 0000000..ed72ea3 --- /dev/null +++ b/.github/renovate.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "enabledManagers": ["dockerfile", "docker-compose"], + "extends": [ + "config:recommended", + ":disableDependencyDashboard", + "docker:pinDigests" + ] +} diff --git a/.github/workflows/go-test-linux.yaml b/.github/workflows/go-test-linux.yaml index bf511ab..e46805c 100644 --- a/.github/workflows/go-test-linux.yaml +++ b/.github/workflows/go-test-linux.yaml @@ -35,7 +35,7 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} env: SENZING_TOOLS_ENABLE_ALL: true - image: senzing/serve-grpc + image: senzing/serve-grpc:0.9.21 ports: - 8261:8261 From 52c5f98523b20ce6bdeb859751d240ffe45dde75 Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Thu, 9 Oct 2025 07:33:22 -0700 Subject: [PATCH 5/8] update linting --- .github/workflows/lint-workflows.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml index aa62139..fe475c6 100644 --- a/.github/workflows/lint-workflows.yaml +++ b/.github/workflows/lint-workflows.yaml @@ -15,4 +15,4 @@ jobs: packages: read pull-requests: read statuses: write - uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@v3 + uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@add-token From 83574f89e6e90e81aacd4fccc179571f3a0313fb Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Thu, 9 Oct 2025 07:36:17 -0700 Subject: [PATCH 6/8] revert --- .github/workflows/lint-workflows.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml index fe475c6..aa62139 100644 --- a/.github/workflows/lint-workflows.yaml +++ b/.github/workflows/lint-workflows.yaml @@ -15,4 +15,4 @@ jobs: packages: read pull-requests: read statuses: write - uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@add-token + uses: senzing-factory/build-resources/.github/workflows/lint-workflows.yaml@v3 From 505bac083d6a652832e2139ac0697b503c7fcf12 Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Thu, 9 Oct 2025 07:38:40 -0700 Subject: [PATCH 7/8] Empty-Commit From 50db3615b9b417edbcda85e11c17f17dd4ce3621 Mon Sep 17 00:00:00 2001 From: Sam <109683132+kernelsam@users.noreply.github.com> Date: Thu, 9 Oct 2025 09:58:40 -0700 Subject: [PATCH 8/8] Empty-Commit