Merge pull request #5 from github/workflow-maintenance

Use explicit immutable Actions, move permissions to top of workflow, add missing test file, add test workflow

Author: GeekMasher

.github/workflows/eslint.yml

@@ -18,17 +18,19 @@ on:
   schedule:
     - cron: '18 22 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   eslint:
     name: Run eslint scanning
     runs-on: ubuntu-latest
     permissions:
-      contents: read
       security-events: write
       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@4.2.2
 
       - name: Install ESLint
         run: |
@@ -46,7 +48,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload analysis results to GitHub
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@3.28.15
         with:
           sarif_file: eslint-results.sarif
           wait-for-processing: true

.github/workflows/publish.yml

@@ -6,14 +6,17 @@ on:
 
 permissions:
   contents: read
-  id-token: write
 
 jobs:
   publish-npm:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - name: Checkout code
+        uses: actions/[email protected]
+      - name: Setup Node
+        uses: actions/[email protected]
         with:
           node-version: 22
           registry-url: https://registry.npmjs.org/

.github/workflows/scorecard.yml

@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@4.2.2
         with:
           persist-credentials: false
 
@@ -49,7 +49,7 @@ jobs:
       # uploads of run results in SARIF format to the repository Actions tab.
       # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
       - name: "Upload artifact"
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@4.6.2
         with:
           name: SARIF file
           path: results.sarif
@@ -58,6 +58,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+        uses: github/codeql-action/upload-sarif@3.28.12
         with:
           sarif_file: results.sarif

.github/workflows/test.yml

@@ -0,0 +1,26 @@
+name: Test with npm
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+      - name: Setup Node
+        uses: actions/[email protected]
+        with:
+          node-version: 22
+          registry-url: https://registry.npmjs.org/
+          cache: npm
+      - run: npm ci
+      - run: npm test

testFile.json

@@ -0,0 +1,3 @@
+{
+    "owner1/repo1/path/to/action": ["sha1", "sha2"]
+}