From f7e720e661de61033ce12686eb23ed02ddfeb079 Mon Sep 17 00:00:00 2001 From: Maxim Prokhorov Date: Thu, 30 Jun 2022 16:56:30 +0300 Subject: [PATCH 1/6] github: actions/checkout v2 -> v3 --- .github/workflows/pull-request.yml | 22 +++++++++++----------- .github/workflows/release-to-publish.yml | 2 +- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 1426a0c6a0..dec474a152 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -22,7 +22,7 @@ jobs: matrix: chunk: [0, 1, 2, 3, 4, 5, 6, 7] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - uses: actions/setup-python@v2 @@ -57,7 +57,7 @@ jobs: matrix: chunk: [0, 1, 2, 3, 4, 5, 6, 7] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - uses: actions/setup-python@v2 @@ -85,7 +85,7 @@ jobs: name: Windows runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - uses: actions/setup-python@v2 @@ -120,7 +120,7 @@ jobs: run: shell: bash steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - uses: actions/setup-python@v2 @@ -152,7 +152,7 @@ jobs: run: shell: bash steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - uses: actions/setup-python@v2 @@ -179,7 +179,7 @@ jobs: run: shell: bash steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - uses: actions/setup-python@v2 @@ -203,7 +203,7 @@ jobs: run: shell: bash steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - uses: actions/setup-python@v2 @@ -230,7 +230,7 @@ jobs: run: shell: bash steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - uses: actions/setup-python@v2 @@ -264,7 +264,7 @@ jobs: run: shell: bash steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - uses: actions/setup-python@v2 @@ -286,7 +286,7 @@ jobs: run: shell: bash steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - uses: actions/setup-python@v2 @@ -316,7 +316,7 @@ jobs: run: shell: bash steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true - name: Run codespell diff --git a/.github/workflows/release-to-publish.yml b/.github/workflows/release-to-publish.yml index 8c815e4fd3..b1310e451e 100644 --- a/.github/workflows/release-to-publish.yml +++ b/.github/workflows/release-to-publish.yml @@ -36,7 +36,7 @@ jobs: run: shell: bash steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: false fetch-depth: 0 From 446620c16ff3e8a8755d331ae9d0ca1e8641dcde Mon Sep 17 00:00:00 2001 From: Maxim Prokhorov Date: Thu, 30 Jun 2022 16:57:33 +0300 Subject: [PATCH 2/6] github: actions/cache v2 -> v3 --- .github/workflows/pull-request.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index dec474a152..1574891778 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -30,7 +30,7 @@ jobs: python-version: '3.x' - name: Cache Linux toolchain id: cache-linux - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ./tools/dist key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }} @@ -65,7 +65,7 @@ jobs: python-version: '3.x' - name: Cache Linux toolchain id: cache-linux - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ./tools/dist key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }} @@ -93,7 +93,7 @@ jobs: python-version: '3.x' - name: Cache Windows toolchain id: cache-windows - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ./tools/dist key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }} @@ -128,7 +128,7 @@ jobs: python-version: '3.x' - name: Cache Mac toolchain id: cache-mac - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ./tools/dist key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }} @@ -294,7 +294,7 @@ jobs: python-version: '3.x' - name: Cache Linux toolchain id: cache-linux - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: ./tools/dist key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }} From 74dd6799b885781517a6c38523a445dbd4407d82 Mon Sep 17 00:00:00 2001 From: Maxim Prokhorov Date: Thu, 30 Jun 2022 16:58:25 +0300 Subject: [PATCH 3/6] github: actions/setup-python v2 -> v4 --- .github/workflows/pull-request.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 1574891778..9d5214486b 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -25,7 +25,7 @@ jobs: - uses: actions/checkout@v3 with: submodules: true - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.x' - name: Cache Linux toolchain @@ -60,7 +60,7 @@ jobs: - uses: actions/checkout@v3 with: submodules: true - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.x' - name: Cache Linux toolchain @@ -88,7 +88,7 @@ jobs: - uses: actions/checkout@v3 with: submodules: true - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.x' - name: Cache Windows toolchain @@ -123,7 +123,7 @@ jobs: - uses: actions/checkout@v3 with: submodules: true - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.x' - name: Cache Mac toolchain @@ -155,7 +155,7 @@ jobs: - uses: actions/checkout@v3 with: submodules: true - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.x' - name: Build subset on Platform.IO @@ -182,7 +182,7 @@ jobs: - uses: actions/checkout@v3 with: submodules: true - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.x' - name: Run host tests @@ -206,7 +206,7 @@ jobs: - uses: actions/checkout@v3 with: submodules: true - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.x' - name: Build documentation @@ -233,7 +233,7 @@ jobs: - uses: actions/checkout@v3 with: submodules: true - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.x' - name: Style check @@ -267,7 +267,7 @@ jobs: - uses: actions/checkout@v3 with: submodules: true - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.x' - name: Mock build @@ -289,7 +289,7 @@ jobs: - uses: actions/checkout@v3 with: submodules: true - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.x' - name: Cache Linux toolchain From 335f9a8bbb3f042024ab9ebe467b17357e8030c8 Mon Sep 17 00:00:00 2001 From: Maxim Prokhorov Date: Thu, 30 Jun 2022 17:03:26 +0300 Subject: [PATCH 4/6] github: dependabot for actions --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..30dd030d31 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# see https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot +# make sure our actions stay up-to-date and we know about any updates. +# most of the time, this happens for major releases. +# (...unless we stop using version tags and switch to hashes...) + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" From 40c1e8919a422dfd9d130a22b25908714419f76b Mon Sep 17 00:00:00 2001 From: Maxim Prokhorov Date: Thu, 30 Jun 2022 17:36:25 +0300 Subject: [PATCH 5/6] github: 'restricted' mode for token permissions noticed at https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions whenever external action uses our token, overall workflow 'permissions:' apply https://docs.github.com/en/actions/security-guides/automatic-token-authentication https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token ref. apps documentation to understand which permissions API endpoints need https://docs.github.com/en/rest/overview/permissions-required-for-github-apps --- .github/workflows/pull-request.yml | 4 ++++ .github/workflows/release-to-publish.yml | 3 +++ 2 files changed, 7 insertions(+) diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 9d5214486b..a1bd24d456 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -9,6 +9,10 @@ on: pull_request: +permissions: + contents: read + + jobs: # Run 8 parallel jobs for the default build of all examples. diff --git a/.github/workflows/release-to-publish.yml b/.github/workflows/release-to-publish.yml index b1310e451e..cdba16b325 100644 --- a/.github/workflows/release-to-publish.yml +++ b/.github/workflows/release-to-publish.yml @@ -28,6 +28,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: package: name: Update master JSON file From dfd8d426c41bbf3a7f27b274db20b170925de5a5 Mon Sep 17 00:00:00 2001 From: Maxim Prokhorov Date: Thu, 30 Jun 2022 20:12:57 +0300 Subject: [PATCH 6/6] missed tag-to-draft action --- .github/workflows/tag-to-draft-release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tag-to-draft-release.yml b/.github/workflows/tag-to-draft-release.yml index 51240262d0..fc87f1ba87 100644 --- a/.github/workflows/tag-to-draft-release.yml +++ b/.github/workflows/tag-to-draft-release.yml @@ -18,11 +18,11 @@ jobs: run: shell: bash steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: submodules: true fetch-depth: 0 - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.x' - name: Set GIT tag name