chore: github actions cleanup

- [x] add stale workflow - [x] switch to umutable actions on ones that allow it (closes 8 security warnings) - [x] solve actionlint issues - [x] group commands instead of instead of individual redirects - [x] double quote variable to prevent globbing and word splitting Signed-off-by: jmeridth <jmeridth@gmail.com>
github · Nov 20, 2024 · a149582 · a149582
1 parent 118d181
commit a149582
Show file tree

Hide file tree

Showing 7 changed files with 31 additions and 12 deletions.
diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml
@@ -14,6 +14,6 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4.2.2
       - name: Build the Docker image
         run: docker build . --file Dockerfile --platform linux/amd64
diff --git a/.github/workflows/major-version-updater.yml b/.github/workflows/major-version-updater.yml
@@ -15,7 +15,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
 
       - name: version
         id: version
@@ -25,9 +25,7 @@ jobs:
           tag=${GITHUB_REF/refs\/tags\//};
           version=${tag#v} ;
           major=${version%%.*} ;
-          echo "tag=${tag}" >> "$GITHUB_OUTPUT" ;
-          echo "version=${version}" >> "$GITHUB_OUTPUT" ;
-          echo "major=${major}" >> "$GITHUB_OUTPUT" ;
+          { echo "tag=${tag}"; echo "version=${version}"; echo "major=${major}"; } >> "$GITHUB_OUTPUT" ;
 
       - name: force update major tag
         run: |

diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml
@@ -20,9 +20,9 @@ jobs:
       matrix:
         python-version: [3.11, 3.12]
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4.2.2
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
+        uses: actions/setup-python@v5.3.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -42,7 +42,7 @@ jobs:
         id: get_tag_name
         run: |
           short_tag=$(echo ${{ steps.release-drafter.outputs.tag_name }} | cut -d. -f1)
-          echo "SHORT_TAG=$short_tag" >> $GITHUB_OUTPUT
+          echo "SHORT_TAG=$short_tag" >> "$GITHUB_OUTPUT"
   create_action_images:
     needs: create_release
     runs-on: ubuntu-latest
@@ -60,7 +60,7 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4.2.2
       - name: Push Docker Image
         if: ${{ success() }}
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
         with:
           persist-credentials: false
 
@@ -36,7 +36,7 @@ jobs:
           results_format: sarif
           publish_results: true
       - name: "Upload artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@v4.4.3
         with:
           name: SARIF file
           path: results.sarif

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -0,0 +1,21 @@
+name: "Close stale issues"
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+permissions:
+  issues: write
+  pull-requests: read
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v9.0.0
+        with:
+          stale-issue-message: "This issue is stale because it has been open 21 days with no activity. Remove stale label or comment or this will be closed in 14 days."
+          close-issue-message: "This issue was closed because it has been stalled for 35 days with no activity."
+          days-before-stale: 21
+          days-before-close: 14
+          days-before-pr-close: -1
+          exempt-issue-labels: keep
diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml
@@ -18,7 +18,7 @@ jobs:
       statuses: write
     steps:
       - name: Checkout Code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
         with:
           fetch-depth: 0
       - name: Install dependencies