From 0882dcfdba41559784b7f95f02404734f03cfbfc Mon Sep 17 00:00:00 2001 From: Alex Tomkins Date: Sat, 2 May 2026 12:03:20 +0100 Subject: [PATCH 1/2] Pin GitHub Actions --- .github/workflows/ci.yml | 6 +++--- .../.github/workflows/ci_geodjango.yml | 8 ++++---- .../.github/workflows/ci_standard.yml | 8 ++++---- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 726ea5d..dfe658e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ jobs: fail-fast: false steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} @@ -26,13 +26,13 @@ jobs: sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ libgdal34t64 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.14' cache: 'pip' cache-dependency-path: 'requirements/*.txt' - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: '.nvmrc' - name: Configure Postgres (for faster tests) diff --git a/{{cookiecutter.project_slug}}/.github/workflows/ci_geodjango.yml b/{{cookiecutter.project_slug}}/.github/workflows/ci_geodjango.yml index 11237b9..13838e6 100644 --- a/{{cookiecutter.project_slug}}/.github/workflows/ci_geodjango.yml +++ b/{{cookiecutter.project_slug}}/.github/workflows/ci_geodjango.yml @@ -10,7 +10,7 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} @@ -20,17 +20,17 @@ jobs: sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ libgdal34t64 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.14' cache: 'pip' cache-dependency-path: 'requirements/*.txt' - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: '.nvmrc' - name: Node.js npm cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ~/.npm diff --git a/{{cookiecutter.project_slug}}/.github/workflows/ci_standard.yml b/{{cookiecutter.project_slug}}/.github/workflows/ci_standard.yml index 1a7bd8a..78a650b 100644 --- a/{{cookiecutter.project_slug}}/.github/workflows/ci_standard.yml +++ b/{{cookiecutter.project_slug}}/.github/workflows/ci_standard.yml @@ -10,22 +10,22 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.14' cache: 'pip' cache-dependency-path: 'requirements/*.txt' - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: '.nvmrc' - name: Node.js npm cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: | ~/.npm From f0083150f34a9d6354ef64e3b739a99be5424964 Mon Sep 17 00:00:00 2001 From: Alex Tomkins Date: Tue, 5 May 2026 11:07:30 +0100 Subject: [PATCH 2/2] Tweak default permissions --- .github/workflows/ci.yml | 2 ++ .../.github/workflows/ci_geodjango.yml | 2 ++ {{cookiecutter.project_slug}}/.github/workflows/ci_standard.yml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dfe658e..07c8d83 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,6 +3,8 @@ on: pull_request concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read jobs: test: name: Test -- ${{ matrix.testenv }} diff --git a/{{cookiecutter.project_slug}}/.github/workflows/ci_geodjango.yml b/{{cookiecutter.project_slug}}/.github/workflows/ci_geodjango.yml index 13838e6..fef5f89 100644 --- a/{{cookiecutter.project_slug}}/.github/workflows/ci_geodjango.yml +++ b/{{cookiecutter.project_slug}}/.github/workflows/ci_geodjango.yml @@ -3,6 +3,8 @@ on: pull_request concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read jobs: test: name: Test -- tox diff --git a/{{cookiecutter.project_slug}}/.github/workflows/ci_standard.yml b/{{cookiecutter.project_slug}}/.github/workflows/ci_standard.yml index 78a650b..34d9059 100644 --- a/{{cookiecutter.project_slug}}/.github/workflows/ci_standard.yml +++ b/{{cookiecutter.project_slug}}/.github/workflows/ci_standard.yml @@ -3,6 +3,8 @@ on: pull_request concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read jobs: test: name: Test -- tox