diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 78771e2..c41cbfe 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,7 +25,7 @@ jobs: attestations: write # for provenances timeout-minutes: 20 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: # https://github.com/reproducible-containers/repro-get/issues/3 fetch-depth: 0 @@ -66,7 +66,7 @@ jobs: gh attestation verify socket_vmnet-${version}-x86_64.tar.gz --owner lima-vm \`\`\` EOF - - uses: actions/attest-build-provenance@v1 + - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') with: subject-path: _artifacts/* diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 376a8c7..189e92b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,6 +7,9 @@ on: - 'release/**' pull_request: +permissions: + contents: read + jobs: integration: name: Integration tests @@ -19,7 +22,7 @@ jobs: runs-on: ${{ matrix.platform }} timeout-minutes: 40 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 - name: Show host info @@ -44,7 +47,7 @@ jobs: - name: Print launchd status (shared mode) run: launchctl print system/io.github.lima-vm.socket_vmnet - name: Fetch homebrew-core commit messages - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: # needed by ./hack/brew-install-version.sh repository: homebrew/homebrew-core @@ -60,7 +63,7 @@ jobs: - name: Test (shared mode) run: ./test/test.sh /var/run/socket_vmnet # Bridged mode cannot be tested on GHA - - uses: actions/setup-go@v5 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: 1.23.x - name: Install Lima