Skip to content

Commit

Permalink
Update github workflow permissions (#193)
Browse files Browse the repository at this point in the history
Resolves 5 code scanning alerts in github

Signed-off-by: Dave Thaler <dthaler1968@gmail.com>
  • Loading branch information
dthaler authored Sep 19, 2024
1 parent f4ce489 commit 8968412
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 25 deletions.
13 changes: 8 additions & 5 deletions .github/workflows/AIForOrcas.Client.Web.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,9 @@ defaults:
run:
working-directory: ModeratorFrontEnd/AIForOrcas/AIForOrcas.Client.Web

permissions: # added using https://github.com/step-security/secure-repo
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -40,9 +43,9 @@ jobs:
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Setup .NET Core
uses: actions/setup-dotnet@v1
uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Dependencies
Expand All @@ -54,7 +57,7 @@ jobs:
- name: Publish
run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}'
- name: Artifacts cache
uses: actions/cache@v2
uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
with:
path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }}
key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
Expand All @@ -70,12 +73,12 @@ jobs:
with:
egress-policy: audit
- name: Artifacts cache
uses: actions/cache@v2
uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
with:
path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }}
key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
- name: Deploy to azure
uses: azure/webapps-deploy@v2
uses: azure/webapps-deploy@4bfb30bef2c330e36be280cb1e5726d0fac06233 # v2.2.13
with:
app-name: ${{ env.AZURE_APP_NAME }}
publish-profile: ${{ secrets.AZURE_AISFORORCAS_PUBLISH_PROFILE }}
Expand Down
13 changes: 8 additions & 5 deletions .github/workflows/AIForOrcas.Server.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ defaults:
run:
working-directory: ModeratorFrontEnd/AIForOrcas/AIForOrcas.Server

permissions: # added using https://github.com/step-security/secure-repo
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -38,9 +41,9 @@ jobs:
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Setup .NET Core
uses: actions/setup-dotnet@v1
uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Dependencies
Expand All @@ -52,7 +55,7 @@ jobs:
- name: Publish
run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}'
- name: Artifacts cache
uses: actions/cache@v2
uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
with:
path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }}
key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
Expand All @@ -68,12 +71,12 @@ jobs:
with:
egress-policy: audit
- name: Artifacts cache
uses: actions/cache@v2
uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
with:
path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }}
key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
- name: Deploy to azure
uses: azure/webapps-deploy@v2
uses: azure/webapps-deploy@4bfb30bef2c330e36be280cb1e5726d0fac06233 # v2.2.13
with:
app-name: ${{ env.AZURE_APP_NAME }}
publish-profile: ${{ secrets.AZURE_AISFORORCASDETECTIONS_PUBLISH_PROFILE }}
Expand Down
13 changes: 8 additions & 5 deletions .github/workflows/NotificationSystem.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ defaults:
run:
working-directory: NotificationSystem

permissions: # added using https://github.com/step-security/secure-repo
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -34,9 +37,9 @@ jobs:
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Setup .NET Core
uses: actions/setup-dotnet@v1
uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Dependencies
Expand All @@ -48,7 +51,7 @@ jobs:
- name: Publish
run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}'
- name: Artifacts cache
uses: actions/cache@v2
uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
with:
path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }}
key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
Expand All @@ -64,12 +67,12 @@ jobs:
with:
egress-policy: audit
- name: Artifacts cache
uses: actions/cache@v2
uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
with:
path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }}
key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
- name: Deploy to Azure Functions
uses: azure/functions-action@v1
uses: azure/functions-action@fd80521afbba9a2a76a99ba1acc07aff8d733d11 # v1.5.2
with:
app-name: ${{ env.AZURE_APP_NAME }}
publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }}
Expand Down
13 changes: 8 additions & 5 deletions .github/workflows/OrcaHello.Web.Api.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ defaults:
run:
working-directory: ModeratorFrontEnd/OrcaHello/OrcaHello.Web.Api

permissions: # added using https://github.com/step-security/secure-repo
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -36,9 +39,9 @@ jobs:
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Set up .NET Core
uses: actions/setup-dotnet@v1
uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Dependencies
Expand All @@ -50,7 +53,7 @@ jobs:
- name: Publish
run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}'
- name: Artifacts cache
uses: actions/cache@v2
uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
with:
path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }}
key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
Expand All @@ -66,12 +69,12 @@ jobs:
with:
egress-policy: audit
- name: Artifacts cache
uses: actions/cache@v2
uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
with:
path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }}
key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
- name: Deploy to azure
uses: azure/webapps-deploy@v2
uses: azure/webapps-deploy@4bfb30bef2c330e36be280cb1e5726d0fac06233 # v2.2.13
with:
app-name: ${{ env.AZURE_APP_NAME }}
publish-profile: ${{ secrets.AZURE_ORCAHELLODETECTIONS_PUBLISH_PROFILE }}
Expand Down
13 changes: 8 additions & 5 deletions .github/workflows/OrcaHello.Web.UI.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ defaults:
run:
working-directory: ModeratorFrontEnd/OrcaHello/OrcaHello.Web.UI

permissions: # added using https://github.com/step-security/secure-repo
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -36,9 +39,9 @@ jobs:
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Set up .NET Core
uses: actions/setup-dotnet@v1
uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Dependencies
Expand All @@ -50,7 +53,7 @@ jobs:
- name: Publish
run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}'
- name: Artifacts cache
uses: actions/cache@v2
uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
with:
path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }}
key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
Expand All @@ -66,12 +69,12 @@ jobs:
with:
egress-policy: audit
- name: Artifacts cache
uses: actions/cache@v2
uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
with:
path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }}
key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts
- name: Deploy to azure
uses: azure/webapps-deploy@v2
uses: azure/webapps-deploy@4bfb30bef2c330e36be280cb1e5726d0fac06233 # v2.2.13
with:
app-name: ${{ env.AZURE_APP_NAME }}
publish-profile: ${{ secrets.AZURE_ORCAHELLO_PUBLISH_PROFILE }}
Expand Down

0 comments on commit 8968412

Please sign in to comment.