diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1ae86b6..81db4dd 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,12 @@ updates: directory: "/" # Location of package manifests schedule: interval: "daily" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 + commit-message: + prefix: "chore: " diff --git a/.github/workflows/build_and_publish.yaml b/.github/workflows/build_and_publish.yaml index f03506b..5af9680 100644 --- a/.github/workflows/build_and_publish.yaml +++ b/.github/workflows/build_and_publish.yaml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@master + uses: actions/checkout@v6 - uses: extractions/setup-just@69d82fb0233557aec017ef13706851d0694e0f1d - name: Build image run: just build diff --git a/.github/workflows/check-auth-header.yaml b/.github/workflows/check-auth-header.yaml index a75c672..e81be24 100644 --- a/.github/workflows/check-auth-header.yaml +++ b/.github/workflows/check-auth-header.yaml @@ -4,6 +4,8 @@ on: # 09:00 UTC every day - cron: '0 9 * * *' workflow_dispatch: +permissions: + contents: read env: EXPECTED: 'realm="https://ghcr.io/token",service="ghcr.io",scope="repository:user/image:pull"' jobs: @@ -11,6 +13,6 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@master + uses: actions/checkout@v6 - name: check run: python3 check-header.py diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 4532383..305778b 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -3,12 +3,14 @@ on: pull_request: env: IMAGE_NAME: opensafely-proxy +permissions: + contents: read jobs: build: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@master + uses: actions/checkout@v6 - uses: extractions/setup-just@69d82fb0233557aec017ef13706851d0694e0f1d - name: Build image run: just build