From 460117a2380c94b4e1ee514eb61e303ee283cf2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?= Date: Fri, 10 Jun 2022 12:09:09 +0200 Subject: Correctly get the nix version in the docker job `defaultPackage` doesn't exist anymore, so we can't use it. Instead just use the new CLI which should be more robust to these changes Fix #6640 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to '.github/workflows') diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index aae5b93e0..fc6531ea5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -88,7 +88,7 @@ jobs: fetch-depth: 0 - uses: cachix/install-nix-action@v17 - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV - - run: echo NIX_VERSION="$(nix-instantiate --eval -E '(import ./default.nix).defaultPackage.${builtins.currentSystem}.version' | tr -d \")" >> $GITHUB_ENV + - run: echo NIX_VERSION="$(nix --experimental-features 'nix-command flakes' eval .\#default.version | tr -d \")" >> $GITHUB_ENV - uses: cachix/cachix-action@v10 if: needs.check_cachix.outputs.secret == 'true' with: -- cgit v1.2.3 From d31c520f40101326179fe27bad7ccc2045c73156 Mon Sep 17 00:00:00 2001 From: naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Fri, 1 Jul 2022 00:29:30 +0000 Subject: chore: Set permissions for GitHub actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/ci.yml | 2 ++ .github/workflows/hydra_status.yml | 3 +++ 2 files changed, 5 insertions(+) (limited to '.github/workflows') diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fc6531ea5..1a317f267 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,6 +28,8 @@ jobs: - run: nix --experimental-features 'nix-command flakes' flake check -L check_cachix: + permissions: + contents: none name: Cachix secret present for installer tests runs-on: ubuntu-latest outputs: diff --git a/.github/workflows/hydra_status.yml b/.github/workflows/hydra_status.yml index 53e69cb2d..d85999256 100644 --- a/.github/workflows/hydra_status.yml +++ b/.github/workflows/hydra_status.yml @@ -3,6 +3,9 @@ on: schedule: - cron: "12,42 * * * *" workflow_dispatch: +permissions: + contents: read + jobs: check_hydra_status: name: Check Hydra status -- cgit v1.2.3 From 70083218b3727bd1279026cbe4d4179d0c7182c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?= Date: Tue, 5 Jul 2022 12:06:58 +0200 Subject: Restrict the permissions of the CI --- .github/workflows/ci.yml | 2 ++ .github/workflows/hydra_status.yml | 3 +++ 2 files changed, 5 insertions(+) (limited to '.github/workflows') diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a317f267..956f81684 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,8 @@ on: pull_request: push: +permissions: read-all + jobs: tests: diff --git a/.github/workflows/hydra_status.yml b/.github/workflows/hydra_status.yml index d85999256..7766e4f8e 100644 --- a/.github/workflows/hydra_status.yml +++ b/.github/workflows/hydra_status.yml @@ -1,4 +1,7 @@ name: Hydra status + +permissions: read-all + on: schedule: - cron: "12,42 * * * *" -- cgit v1.2.3 From 541e10496a242d7c32b4e3f3ce9b4caacc04eb14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?= Date: Tue, 5 Jul 2022 16:28:39 +0200 Subject: Fix the hydra_status CI job --- .github/workflows/hydra_status.yml | 2 -- 1 file changed, 2 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/hydra_status.yml b/.github/workflows/hydra_status.yml index 7766e4f8e..38a9c0877 100644 --- a/.github/workflows/hydra_status.yml +++ b/.github/workflows/hydra_status.yml @@ -6,8 +6,6 @@ on: schedule: - cron: "12,42 * * * *" workflow_dispatch: -permissions: - contents: read jobs: check_hydra_status: -- cgit v1.2.3