diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 726ea5d..07c8d83 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,6 +3,8 @@ on: pull_request concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read jobs: test: name: Test -- ${{ matrix.testenv }} @@ -17,7 +19,7 @@ jobs: fail-fast: false steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} @@ -26,13 +28,13 @@ jobs: sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ libgdal34t64 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.14' cache: 'pip' cache-dependency-path: 'requirements/*.txt' - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: '.nvmrc' - name: Configure Postgres (for faster tests) diff --git a/{{cookiecutter.project_slug}}/.github/workflows/ci_geodjango.yml b/{{cookiecutter.project_slug}}/.github/workflows/ci_geodjango.yml index 11237b9..fef5f89 100644 --- a/{{cookiecutter.project_slug}}/.github/workflows/ci_geodjango.yml +++ b/{{cookiecutter.project_slug}}/.github/workflows/ci_geodjango.yml @@ -3,6 +3,8 @@ on: pull_request concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read jobs: test: name: Test -- tox @@ -10,7 +12,7 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} @@ -20,17 +22,17 @@ jobs: sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ libgdal34t64 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.14' cache: 'pip' cache-dependency-path: 'requirements/*.txt' - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: '.nvmrc' - name: Node.js npm cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ~/.npm diff --git a/{{cookiecutter.project_slug}}/.github/workflows/ci_standard.yml b/{{cookiecutter.project_slug}}/.github/workflows/ci_standard.yml index 1a7bd8a..34d9059 100644 --- a/{{cookiecutter.project_slug}}/.github/workflows/ci_standard.yml +++ b/{{cookiecutter.project_slug}}/.github/workflows/ci_standard.yml @@ -3,6 +3,8 @@ on: pull_request concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read jobs: test: name: Test -- tox @@ -10,22 +12,22 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.14' cache: 'pip' cache-dependency-path: 'requirements/*.txt' - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: '.nvmrc' - name: Node.js npm cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ~/.npm