diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 1193d69199..aeef3601a6 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -30,7 +30,7 @@ jobs: - name: Set workspace as safe run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Generate build matrix @@ -51,7 +51,7 @@ jobs: image: ghcr.io/terrapkg/appstream-generator:main steps: - name: Download artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: merge-multiple: true path: ./artifacts diff --git a/.github/workflows/bootstrap.yml b/.github/workflows/bootstrap.yml index ba7aab07c1..59ce6d02f3 100644 --- a/.github/workflows/bootstrap.yml +++ b/.github/workflows/bootstrap.yml @@ -21,7 +21,7 @@ jobs: dnf5 swap -y --setopt=install_weak_deps=False systemd-standalone-sysusers systemd dnf5 install -y --setopt=install_weak_deps=False curl wget git-core openssl-devel cargo podman fuse-overlayfs dnf5-plugins rpmbuild script - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: f${{ matrix.version }} fetch-depth: 1 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 16687d18a8..310757f2bf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -29,7 +29,7 @@ jobs: options: --cap-add=SYS_ADMIN --privileged steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Setup Git diff --git a/.github/workflows/json-build.yml b/.github/workflows/json-build.yml index a70dd1db2d..4b7c7d4332 100644 --- a/.github/workflows/json-build.yml +++ b/.github/workflows/json-build.yml @@ -48,7 +48,7 @@ jobs: options: --cap-add=SYS_ADMIN --privileged steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -58,7 +58,7 @@ jobs: - name: Configure sccache id: sccache if: ${{ !contains(matrix.pkg.labels.sccache, '0') }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SCCACHE_GHA_VERSION: ${{ matrix.version }}-${{ matrix.pkg.arch }}-${{ matrix.pkg.pkg }} SCCACHE_GHA_CACHE_FROM: ${{ matrix.version }}-${{ matrix.pkg.arch }}-${{ matrix.pkg.pkg }} @@ -86,7 +86,7 @@ jobs: - name: Report Cache Summary if: steps.sccache.outcome == 'success' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const script = require('./.github/scripts/sccache-stats.js') @@ -99,7 +99,7 @@ jobs: x=${NAME//\//@} echo "name=$x" >> $GITHUB_OUTPUT - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ steps.art.outputs.name }} compression-level: 0 # The RPMs are already compressed :p diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml index b6ffed0932..b51cce456a 100644 --- a/.github/workflows/sync.yml +++ b/.github/workflows/sync.yml @@ -1,13 +1,15 @@ name: Automatic backport/sync action permissions: - contents: write - pull-requests: write + contents: read on: pull_request_target: types: ["labeled", "closed"] jobs: backport: + permissions: + contents: write + pull-requests: write name: Backport/sync PR runs-on: ubuntu-22.04 if: github.event.pull_request.merged diff --git a/.github/workflows/update-branch.yml b/.github/workflows/update-branch.yml index e10aab6628..2cd74cbffe 100644 --- a/.github/workflows/update-branch.yml +++ b/.github/workflows/update-branch.yml @@ -1,6 +1,6 @@ name: Update per branch permissions: - contents: write + contents: read on: schedule: - cron: "*/30 * * * *" @@ -8,6 +8,8 @@ on: jobs: autoupdate: + permissions: + contents: write runs-on: ubuntu-24.04-arm strategy: matrix: @@ -22,7 +24,7 @@ jobs: options: --cap-add=SYS_ADMIN --privileged steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ matrix.branch }} fetch-depth: 0 diff --git a/.github/workflows/update-comps.yml b/.github/workflows/update-comps.yml index 418f6a7a2c..cb7de43253 100644 --- a/.github/workflows/update-comps.yml +++ b/.github/workflows/update-comps.yml @@ -20,7 +20,7 @@ jobs: container: image: ghcr.io/terrapkg/builder:f44 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Push to subatomic run: | branch=${{ github.ref_name }} diff --git a/.github/workflows/update-nightly.yml b/.github/workflows/update-nightly.yml index b31a1b4f81..656ebe6775 100644 --- a/.github/workflows/update-nightly.yml +++ b/.github/workflows/update-nightly.yml @@ -1,6 +1,6 @@ name: Nightly Update permissions: - contents: write + contents: read on: schedule: - cron: "0 0 * * *" @@ -8,13 +8,15 @@ on: jobs: autoupdate: + permissions: + contents: write runs-on: ubuntu-24.04-arm container: image: ghcr.io/terrapkg/builder:f44 options: --cap-add=SYS_ADMIN --privileged steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 ssh-key: ${{ secrets.SSH_AUTHENTICATION_KEY }} diff --git a/.github/workflows/update-weekly.yml b/.github/workflows/update-weekly.yml index 16aaa128e9..5ca15b10b5 100644 --- a/.github/workflows/update-weekly.yml +++ b/.github/workflows/update-weekly.yml @@ -1,6 +1,6 @@ name: Weekly Update permissions: - contents: write + contents: read on: schedule: - cron: "0 0 * * *" @@ -8,13 +8,15 @@ on: jobs: autoupdate: + permissions: + contents: write runs-on: ubuntu-24.04-arm container: image: ghcr.io/terrapkg/builder:f44 options: --cap-add=SYS_ADMIN --privileged steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 ssh-key: ${{ secrets.SSH_AUTHENTICATION_KEY }} diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml index 50f1689294..f8ad57f96f 100644 --- a/.github/workflows/update.yml +++ b/.github/workflows/update.yml @@ -1,6 +1,6 @@ name: Update permissions: - contents: write + contents: read on: schedule: - cron: "*/10 * * * *" @@ -8,13 +8,15 @@ on: jobs: autoupdate: + permissions: + contents: write runs-on: ubuntu-24.04-arm container: image: ghcr.io/terrapkg/builder:f44 options: --cap-add=SYS_ADMIN --privileged steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 ssh-key: ${{ secrets.SSH_AUTHENTICATION_KEY }} diff --git a/README.md b/README.md index 8a7ae3ee65..ccc0e057e3 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # Terra Sources -[![Repository status](https://repology.org/badge/repository-big/terra_rawhide.svg?header=Terra+Rawhide)](https://repology.org/repository/terra_rawhide) +[![Repository status](https://repology.org/badge/repository-big/terra_rawhide.svg?header=Terra+Rawhide)](https://repology.org/repository/terra_rawhide) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/terrapkg/packages/badge)](https://scorecard.dev/viewer/?uri=github.com/terrapkg/packages) + Terra is a rolling-release Fedora repository for all the software you need. With Terra, you can install the latest packages knowing that quality and security are assured.