diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 127e9d31..c10d0528 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -5,9 +5,13 @@ on: branches: - main +permissions: {} + jobs: check: runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false matrix: @@ -15,10 +19,11 @@ jobs: protocol: [ 'json', 'msgpack' ] type: [ 'unit', 'acceptance' ] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 with: submodules: 'recursive' - - uses: ruby/setup-ruby@v1 + persist-credentials: false + - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0 with: ruby-version: ${{ matrix.ruby }} bundler-cache: true @@ -31,8 +36,8 @@ jobs: RUBY_VERSION: ${{ matrix.ruby }} run: | mkdir junit - bundle exec parallel_rspec --prefix-output-with-test-env-number --first-is-1 -- spec/${{ matrix.type }} - - uses: actions/upload-artifact@v4 + bundle exec parallel_rspec --prefix-output-with-test-env-number --first-is-1 -- "spec/$TEST_TYPE" + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: test-results-ruby-${{ matrix.ruby }}-${{ matrix.protocol }}-${{ matrix.type }} path: | @@ -41,12 +46,12 @@ jobs: retention-days: 7 - name: Upload test results if: always() - uses: ably/test-observability-action@v1 + uses: ably/test-observability-action@5b61d9c59f356b83426cab1b8243dd8bf03c1bea # v1 with: server-url: 'https://test-observability.herokuapp.com' server-auth: ${{ secrets.TEST_OBSERVABILITY_SERVER_AUTH_KEY }} path: 'junit/' - - uses: coverallsapp/github-action@v2 + - uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2 with: github-token: ${{ secrets.GITHUB_TOKEN }} flag-name: ruby-${{ matrix.ruby }}-${{ matrix.protocol }}-${{ matrix.type }} @@ -54,9 +59,11 @@ jobs: finish: needs: check runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Coveralls Finished - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2 with: github-token: ${{ secrets.github_token }} parallel-finished: true diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 890e0eab..1a2620fd 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -10,9 +10,11 @@ jobs: deployments: write id-token: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 + with: + persist-credentials: false - - uses: ruby/setup-ruby@v1 + - uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0 with: ruby-version: '2.7' bundler-cache: true @@ -22,14 +24,14 @@ jobs: bundle exec yard --readme INTRO.md --tag "spec:Specification" ls -al doc/ - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1 with: aws-region: eu-west-2 role-to-assume: arn:aws:iam::${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK }}:role/ably-sdk-builds-ably-ruby role-session-name: "${{ github.run_id }}-${{ github.run_number }}" - name: Upload Documentation - uses: ably/sdk-upload-action@v1 + uses: ably/sdk-upload-action@8c6179796fc7ee8fc9bb28d5223ffef005b985cc # v1 with: sourcePath: doc/ githubToken: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/features.yml b/.github/workflows/features.yml index 17cf9d77..dac82afa 100644 --- a/.github/workflows/features.yml +++ b/.github/workflows/features.yml @@ -6,9 +6,16 @@ on: branches: - main +permissions: {} + jobs: build: - uses: ably/features/.github/workflows/sdk-features.yml@main + permissions: + contents: read + deployments: write + id-token: write + uses: ably/features/.github/workflows/sdk-features.yml@6b3fc7a8ede2ebdd7a6325314f3a96c6466f1453 # main with: repository-name: ably-ruby - secrets: inherit + secrets: + ABLY_AWS_ACCOUNT_ID_SDK: ${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK }}