feat: enhance GitHub workflows with build provenance and linter permi…

…ssions; add Dependabot configuration
MasterLaplace · Nov 8, 2024 · 7026c57 · 7026c57
1 parent ea1bb21
commit 7026c57
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+      time: "16:00"
+
+  - package-ecosystem: "gitsubmodule"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+      time: "16:00"
diff --git a/.github/workflows/create_release.yml b/.github/workflows/create_release.yml
@@ -7,6 +7,9 @@ on:
 
 permissions:
   contents: write
+  id-token: write
+  attestations: write
+  security-events: write
 
 jobs:
   bump_version_and_create_release:
@@ -31,6 +34,13 @@ jobs:
         run: |
           python3 Scripts/increment_version.py ${{ steps.test_tag_version.outputs.new_tag }}
 
+      - name: Attest Build Provenance
+        uses: actions/[email protected]
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          subject-name: "Flakkari Version Bump"
+          subject-path: "Scripts/increment_version.py"
+
       - name: Set up Git and Push changes
         env:
           github_token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -6,6 +6,9 @@ on:
      - 'ga-ignore-**'
      - 'gh-pages'
 
+permissions:
+  contents: write
+
 jobs:
   lint_code:
     name: Lint with clang-format