diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index df3d24235..bbc7fd9ac 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,6 +12,9 @@ on: - 'LICENSE.txt' - 'NOTICE.txt' +permissions: + contents: read + jobs: install: runs-on: ubuntu-latest diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 0c8c562ed..d9108a3ed 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -10,12 +10,15 @@ on: paths: - '**.java' +permissions: + contents: read + jobs: check-format: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: axel-op/googlejavaformat-action@v3 + - uses: axel-op/googlejavaformat-action@c1134ebd196c4cbffb077f9476585b0be8b6afcd # v4.0.0 with: - version: v1.19.2 + release-name: v1.19.2 args: "--set-exit-if-changed --dry-run" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bba8748fe..442f36988 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,9 @@ on: tags: - v* +permissions: + contents: write + jobs: publish: runs-on: ubuntu-latest @@ -33,12 +36,12 @@ jobs: run: echo "version-without-v=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" - name: Get changelog release info id: changelog - uses: release-flow/keep-a-changelog-action@v3 + uses: release-flow/keep-a-changelog-action@74931dec7ecdbfc8e38ac9ae7e8dd84c08db2f32 # v3.0.0 with: command: query version: ${{ steps.get-version.outputs.version-without-v }} - name: Create GitHub Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2 with: name: ${{ steps.changelog.outputs.version }} body: ${{ steps.changelog.outputs.release-notes }} diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml index 8f2a41f66..84329a1f2 100644 --- a/.github/workflows/sonar.yml +++ b/.github/workflows/sonar.yml @@ -5,6 +5,9 @@ on: branches: - 'master' +permissions: + contents: read + jobs: scan: runs-on: ubuntu-latest