1111 - develop
1212 workflow_dispatch :
1313
14- permissions :
15- contents : write
16- pull-requests : read
17- packages : write
18- id-token : write
19- attestations : write
14+ # Prevent concurrent runs on same branch
15+ concurrency :
16+ group : ${{ github.workflow }}-${{ github.ref }}
17+ cancel-in-progress : true
18+
19+ # Explicit no permissions at workflow level (set per-job)
20+ permissions : {}
2021
2122env :
2223 REGISTRY : ghcr.io
2930 build-and-test :
3031 name : Build and Test
3132 runs-on : ubuntu-latest
33+ permissions :
34+ contents : read
3235 steps :
3336 - name : Checkout code
3437 uses : actions/checkout@v5
@@ -102,6 +105,8 @@ jobs:
102105 lint :
103106 name : Lint Code
104107 runs-on : ubuntu-latest
108+ permissions :
109+ contents : read
105110 steps :
106111 - name : Checkout code
107112 uses : actions/checkout@v5
@@ -134,7 +139,7 @@ jobs:
134139 persist-credentials : false
135140
136141 - name : Run Trivy vulnerability scanner
137- uses : aquasecurity/trivy-action@master
142+ uses : aquasecurity/trivy-action@0.28.0
138143 with :
139144 scan-type : ' fs'
140145 scan-ref : ' .'
@@ -149,7 +154,7 @@ jobs:
149154 sarif_file : ' trivy-results.sarif'
150155
151156 - name : Run Gosec Security Scanner
152- uses : securego/gosec@master
157+ uses : securego/gosec@v2.21.4
153158 with :
154159 args : ' -no-fail -fmt sarif -out gosec-results.sarif ./...'
155160
@@ -163,6 +168,8 @@ jobs:
163168 build-binaries :
164169 name : Build Multi-Platform Binaries
165170 runs-on : ubuntu-latest
171+ permissions :
172+ contents : read
166173 needs : [build-and-test, lint]
167174 if : github.event_name == 'push' || github.event_name == 'workflow_dispatch'
168175 strategy :
@@ -199,8 +206,11 @@ jobs:
199206 GOOS : ${{ matrix.os }}
200207 GOARCH : ${{ matrix.arch }}
201208 CGO_ENABLED : 0
209+ VERSION : ${{ github.ref_name }}
210+ COMMIT_HASH : ${{ github.sha }}
211+ OUTPUT_NAME : ${{ matrix.output }}
202212 run : |
203- go build -ldflags="-s -w -X 'main.Version=${{ github.ref_name }} ' -X 'main.GitCommitHash=${{ github.sha }} ' -X 'main.BuiltAt=$(date -u +%Y-%m-%dT%H:%M:%SZ)'" -o ${{ matrix.output }}
213+ go build -ldflags="-s -w -X 'main.Version=${VERSION} ' -X 'main.GitCommitHash=${COMMIT_HASH} ' -X 'main.BuiltAt=$(date -u +%Y-%m-%dT%H:%M:%SZ)'" -o "${OUTPUT_NAME}"
204214
205215 - name : Upload binary artifact
206216 uses : actions/upload-artifact@v4
@@ -213,6 +223,11 @@ jobs:
213223 docker-build-push :
214224 name : Build and Push Docker Image
215225 runs-on : ubuntu-latest
226+ permissions :
227+ contents : read
228+ packages : write
229+ id-token : write
230+ attestations : write
216231 needs : [build-and-test, lint]
217232 if : github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
218233 steps :
@@ -254,6 +269,7 @@ jobs:
254269 type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
255270
256271 - name : Build and push Docker image
272+ id : build
257273 uses : docker/build-push-action@v6
258274 with :
259275 context : .
@@ -278,13 +294,20 @@ jobs:
278294 integration-test :
279295 name : Integration Test
280296 runs-on : ubuntu-latest
297+ permissions :
298+ contents : read
281299 needs : [docker-build-push]
282300 if : github.event_name == 'push' && github.ref == 'refs/heads/main'
283301 steps :
284302 - name : Checkout code
285303 uses : actions/checkout@v5
304+ with :
305+ persist-credentials : false
286306
287307 - name : Create test config
308+ env :
309+ REPO_OWNER : ${{ github.repository_owner }}
310+ REPO_NAME : ${{ github.event.repository.name }}
288311 run : |
289312 cat > test-config.yml << EOF
290313 loglevel: info
@@ -300,8 +323,8 @@ jobs:
300323 applicability:
301324 - Maturity Level 1
302325 vars:
303- owner: ${{ github.repository_owner } }
304- repo: ${{ github.event.repository.name } }
326+ owner: ${REPO_OWNER }
327+ repo: ${REPO_NAME }
305328 token: \${{ secrets.GITHUB_TOKEN }}
306329 EOF
307330
@@ -324,6 +347,8 @@ jobs:
324347 notify :
325348 name : Notify Status
326349 runs-on : ubuntu-latest
350+ permissions :
351+ contents : read
327352 needs : [build-and-test, lint, security-scan, docker-build-push]
328353 if : always() && (github.event_name == 'push' && github.ref == 'refs/heads/main')
329354 steps :
0 commit comments