diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 76f594db6c..f16e585f8a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: push: branches: @@ -12,8 +15,10 @@ jobs: matrix: node: [18, 20, 22] steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - - uses: actions/setup-node@v6 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: ${{ matrix.node }} - run: node --version @@ -30,8 +35,10 @@ jobs: windows: runs-on: windows-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - - uses: actions/setup-node@v6 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 - run: npm install @@ -41,8 +48,10 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - - uses: actions/setup-node@v6 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 - run: npm install @@ -50,8 +59,10 @@ jobs: docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - - uses: actions/setup-node@v6 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 - run: npm install diff --git a/.github/workflows/issues-no-repro.yaml b/.github/workflows/issues-no-repro.yaml index 978863915b..9e24b7db82 100644 --- a/.github/workflows/issues-no-repro.yaml +++ b/.github/workflows/issues-no-repro.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: invalid_link on: issues: @@ -10,13 +13,15 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v6 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + persist-credentials: false + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 18 - run: npm install working-directory: ./.github/scripts - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const script = require('./.github/scripts/close-invalid-link.cjs') diff --git a/.github/workflows/response.yaml b/.github/workflows/response.yaml index e81a3603af..f20ee42db2 100644 --- a/.github/workflows/response.yaml +++ b/.github/workflows/response.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + name: no_response on: schedule: @@ -13,8 +16,10 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/checkout@v5 - - uses: actions/github-script@v7 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + persist-credentials: false + - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const script = require('./.github/scripts/close-unresponsive.cjs') @@ -27,8 +32,10 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/checkout@v5 - - uses: actions/github-script@v7 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + persist-credentials: false + - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const script = require('./.github/scripts/remove-response-label.cjs') diff --git a/.github/workflows/update-apis.yaml b/.github/workflows/update-apis.yaml index 8da90517e1..69fd2704c0 100644 --- a/.github/workflows/update-apis.yaml +++ b/.github/workflows/update-apis.yaml @@ -1,3 +1,6 @@ +permissions: + contents: read + on: schedule: - cron: "0 1 * * *" @@ -7,7 +10,7 @@ jobs: update-apis: runs-on: ubuntu-latest steps: - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 - run: gh repo fork googleapis/google-api-nodejs-client --fork-name google-api-nodejs-client-autodisco --clone diff --git a/renovate.json b/renovate.json index f39fd32323..08cca7c43b 100644 --- a/renovate.json +++ b/renovate.json @@ -1,6 +1,6 @@ { "extends": [ - "config:base", + "config:best-practices", "docker:disable", ":disableDependencyDashboard" ],