Bump actions and add permissions (#244)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 519b512a1e28a82603320fcf41dc62a8985e2aa2..9329f4bb8fa32bde19e445eebdab596a6235ae1c 100644 (file)
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,4 +1,8 @@
 name: Build & Publish
+
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -31,26 +35,26 @@ jobs:
             test-tag: roundcube/roundcubemail:latest-fpm-alpine
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Get docker hub username
         id: creds
         run: echo '::set-output name=username::${{ secrets.DOCKER_PULL_USERNAME }}'
       - name: Login to Docker Hub
         if: steps.creds.outputs.username != ''
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_PULL_USERNAME }}
           password: ${{ secrets.DOCKER_PUSH_PASSWORD }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           buildkitd-flags: --debug
 
       - name: Build and push image for "${{ matrix.variant }}"
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: ${{ matrix.variant }}
           platforms: "linux/arm64,linux/arm/v6,linux/arm/v7,linux/s390x,linux/ppc64le,linux/386,linux/amd64,"

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 5fe98cfacc18ab7e1c1d0b02fecc2317a7003074..a33e0aff7a699f913b6b811a9c1c157ac73abe45 100644 (file)
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,4 +1,8 @@
 name: Build & Test
+
+permissions:
+  contents: read
+
 on:
   pull_request: {}
   push:
@@ -24,13 +28,13 @@ jobs:
             docker-tag: roundcube/roundcubemail:test-fpm-alpine
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Get docker hub username
         id: creds
         run: echo '::set-output name=username::${{ secrets.DOCKER_PULL_USERNAME }}'
       - name: Login to Docker Hub
         if: steps.creds.outputs.username != ''
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_PULL_USERNAME }}
           password: ${{ secrets.DOCKER_PULL_PASSWORD }}
@@ -47,5 +51,3 @@ jobs:
             docker-compose -f ./tests/docker-compose.test-${testFile}.yml \
             up --exit-code-from=sut --abort-on-container-exit
           done
-          
-

diff --git a/.github/workflows/update-sh.yml b/.github/workflows/update-sh.yml
index dd44683012286d4ffc325e02ab1a7b6d0a2afd48..09e3a89d5b7f3a94617855a85fde745367fddc86 100644 (file)
--- a/.github/workflows/update-sh.yml
+++ b/.github/workflows/update-sh.yml
@@ -1,5 +1,9 @@
 name: update.sh
 
+permissions:
+  # Git push permissions are needed
+  contents: write
+
 on:
   push:
     branches:
@@ -13,7 +17,7 @@ jobs:
     name: Run update.sh script
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         token: ${{ secrets.WOKFLOW_TOKEN }}
     - name: Run update.sh script