ci(workflows): improve security and update actions

- set top-level explicit permissions for each GitHub Actions workflow for improved security and deduplication of permissions. - add `persist-credentials: false` to actions/checkout for improved security - see https://github.com/actions/checkout#checkout-v4 - update actions/checkout from v4 to v5
2026-04-17 23:20:43 +00:00 · 2025-11-06 14:40:54 +01:00
parent 2d64cdad7c
commit 6557514954
13 changed files with 110 additions and 90 deletions
--- a/.github/workflows/coolify-testing-host.yml
+++ b/.github/workflows/coolify-testing-host.yml
@@ -7,6 +7,10 @@ on:
      - .github/workflows/coolify-testing-host.yml
      - docker/testing-host/Dockerfile

+permissions:
+  contents: read
+  packages: write
+
 env:
  GITHUB_REGISTRY: ghcr.io
  DOCKER_REGISTRY: docker.io
@@ -15,11 +19,10 @@ env:
 jobs:
  amd64:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false

      - name: Login to ${{ env.GITHUB_REGISTRY }}
        uses: docker/login-action@v3
@@ -50,11 +53,10 @@ jobs:

  aarch64:
    runs-on: [ self-hosted, arm64 ]
-    permissions:
-      contents: read
-      packages: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false

      - name: Login to ${{ env.GITHUB_REGISTRY }}
        uses: docker/login-action@v3
@@ -85,12 +87,11 @@ jobs:

  merge-manifest:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
    needs: [ amd64, aarch64 ]
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false

      - uses: docker/setup-buildx-action@v3