tiennm99/coolify
1
0
Fork 0
mirror of https://github.com/tiennm99/coolify.git synced 2026-04-17 17:21:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci(workflows): improve security and update actions

Browse Source 
- set top-level explicit permissions for each GitHub Actions workflow for improved security and deduplication of permissions.
- add `persist-credentials: false` to actions/checkout for improved security - see https://github.com/actions/checkout#checkout-v4
- update actions/checkout from v4 to v5
This commit is contained in:
peaklabs-dev
2025-11-06 14:40:54 +01:00
parent 2d64cdad7c
commit 6557514954
13 changed files with 110 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/chore-lock-closed-issues-discussions-and-prs.yml vendored
View File

@@ -4,6 +4,11 @@ on:
schedule: schedule:
- cron: '0 1 * * *' - cron: '0 1 * * *'
permissions:
issues: write
discussions: write
pull-requests: write
jobs: jobs:
lock-threads: lock-threads:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -13,5 +18,5 @@ jobs:
with: with:
github-token: ${{ secrets.GITHUB_TOKEN }} github-token: ${{ secrets.GITHUB_TOKEN }}
issue-inactive-days: '30' issue-inactive-days: '30'
pr-inactive-days: '30'
discussion-inactive-days: '30' discussion-inactive-days: '30'
pr-inactive-days: '30'

4
.github/workflows/chore-manage-stale-issues-and-prs.yml vendored
View File

@@ -4,6 +4,10 @@ on:
schedule: schedule:
- cron: '0 2 * * *' - cron: '0 2 * * *'
permissions:
issues: write
pull-requests: write
jobs: jobs:
manage-stale: manage-stale:
runs-on: ubuntu-latest runs-on: ubuntu-latest

15
.github/workflows/chore-pr-comments.yml vendored
View File

@@ -3,20 +3,13 @@ on:
pull_request_target: pull_request_target:
types: types:
- labeled - labeled
permissions:
pull-requests: write
jobs: jobs:
add-comment: add-comment:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: read
actions: none
checks: none
deployments: none
issues: none
packages: none
repository-projects: none
security-events: none
statuses: none
strategy: strategy:
matrix: matrix:
include: include:

4
.github/workflows/chore-remove-labels-and-assignees-on-close.yml vendored
View File

@@ -8,6 +8,10 @@ on:
pull_request_target: pull_request_target:
types: [closed] types: [closed]
permissions:
issues: write
pull-requests: write
jobs: jobs:
remove-labels-and-assignees: remove-labels-and-assignees:
runs-on: ubuntu-latest runs-on: ubuntu-latest

9
.github/workflows/cleanup-ghcr-untagged.yml vendored
View File

@@ -1,17 +1,14 @@
name: Cleanup Untagged GHCR Images name: Cleanup Untagged GHCR Images
on: on:
workflow_dispatch: # Manual trigger only workflow_dispatch:
env: permissions:
GITHUB_REGISTRY: ghcr.io packages: write
jobs: jobs:
cleanup-all-packages: cleanup-all-packages:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
strategy: strategy:
matrix: matrix:
package: ['coolify', 'coolify-helper', 'coolify-realtime', 'coolify-testing-host'] package: ['coolify', 'coolify-helper', 'coolify-realtime', 'coolify-testing-host']

26
.github/workflows/coolify-helper-next.yml vendored
View File

@@ -7,6 +7,10 @@ on:
- .github/workflows/coolify-helper-next.yml - .github/workflows/coolify-helper-next.yml
- docker/coolify-helper/Dockerfile - docker/coolify-helper/Dockerfile
permissions:
contents: read
packages: write
env: env:
GITHUB_REGISTRY: ghcr.io GITHUB_REGISTRY: ghcr.io
DOCKER_REGISTRY: docker.io DOCKER_REGISTRY: docker.io
@@ -15,11 +19,10 @@ env:
jobs: jobs:
amd64: amd64:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Login to ${{ env.GITHUB_REGISTRY }} - name: Login to ${{ env.GITHUB_REGISTRY }}
uses: docker/login-action@v3 uses: docker/login-action@v3
@@ -54,11 +57,10 @@ jobs:
coolify.managed=true coolify.managed=true
aarch64: aarch64:
runs-on: [ self-hosted, arm64 ] runs-on: [ self-hosted, arm64 ]
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Login to ${{ env.GITHUB_REGISTRY }} - name: Login to ${{ env.GITHUB_REGISTRY }}
uses: docker/login-action@v3 uses: docker/login-action@v3
@@ -94,12 +96,12 @@ jobs:
merge-manifest: merge-manifest:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
needs: [ amd64, aarch64 ] needs: [ amd64, aarch64 ]
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- uses: docker/setup-buildx-action@v3 - uses: docker/setup-buildx-action@v3
- name: Login to ${{ env.GITHUB_REGISTRY }} - name: Login to ${{ env.GITHUB_REGISTRY }}

25
.github/workflows/coolify-helper.yml vendored
View File

@@ -7,6 +7,10 @@ on:
- .github/workflows/coolify-helper.yml - .github/workflows/coolify-helper.yml
- docker/coolify-helper/Dockerfile - docker/coolify-helper/Dockerfile
permissions:
contents: read
packages: write
env: env:
GITHUB_REGISTRY: ghcr.io GITHUB_REGISTRY: ghcr.io
DOCKER_REGISTRY: docker.io DOCKER_REGISTRY: docker.io
@@ -15,11 +19,10 @@ env:
jobs: jobs:
amd64: amd64:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Login to ${{ env.GITHUB_REGISTRY }} - name: Login to ${{ env.GITHUB_REGISTRY }}
uses: docker/login-action@v3 uses: docker/login-action@v3
@@ -54,11 +57,10 @@ jobs:
coolify.managed=true coolify.managed=true
aarch64: aarch64:
runs-on: [ self-hosted, arm64 ] runs-on: [ self-hosted, arm64 ]
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Login to ${{ env.GITHUB_REGISTRY }} - name: Login to ${{ env.GITHUB_REGISTRY }}
uses: docker/login-action@v3 uses: docker/login-action@v3
@@ -93,12 +95,11 @@ jobs:
coolify.managed=true coolify.managed=true
merge-manifest: merge-manifest:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
needs: [ amd64, aarch64 ] needs: [ amd64, aarch64 ]
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- uses: docker/setup-buildx-action@v3 - uses: docker/setup-buildx-action@v3

19
.github/workflows/coolify-production-build.yml vendored
View File

@@ -14,6 +14,10 @@ on:
- templates/** - templates/**
- CHANGELOG.md - CHANGELOG.md
permissions:
contents: read
packages: write
env: env:
GITHUB_REGISTRY: ghcr.io GITHUB_REGISTRY: ghcr.io
DOCKER_REGISTRY: docker.io DOCKER_REGISTRY: docker.io
@@ -23,7 +27,9 @@ jobs:
amd64: amd64:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Login to ${{ env.GITHUB_REGISTRY }} - name: Login to ${{ env.GITHUB_REGISTRY }}
uses: docker/login-action@v3 uses: docker/login-action@v3
@@ -58,7 +64,9 @@ jobs:
aarch64: aarch64:
runs-on: [self-hosted, arm64] runs-on: [self-hosted, arm64]
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Login to ${{ env.GITHUB_REGISTRY }} - name: Login to ${{ env.GITHUB_REGISTRY }}
uses: docker/login-action@v3 uses: docker/login-action@v3
@@ -92,12 +100,11 @@ jobs:
merge-manifest: merge-manifest:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
needs: [amd64, aarch64] needs: [amd64, aarch64]
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- uses: docker/setup-buildx-action@v3 - uses: docker/setup-buildx-action@v3

26
.github/workflows/coolify-realtime-next.yml vendored
View File

@@ -11,6 +11,10 @@ on:
- docker/coolify-realtime/package-lock.json - docker/coolify-realtime/package-lock.json
- docker/coolify-realtime/soketi-entrypoint.sh - docker/coolify-realtime/soketi-entrypoint.sh
permissions:
contents: read
packages: write
env: env:
GITHUB_REGISTRY: ghcr.io GITHUB_REGISTRY: ghcr.io
DOCKER_REGISTRY: docker.io DOCKER_REGISTRY: docker.io
@@ -19,11 +23,10 @@ env:
jobs: jobs:
amd64: amd64:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Login to ${{ env.GITHUB_REGISTRY }} - name: Login to ${{ env.GITHUB_REGISTRY }}
uses: docker/login-action@v3 uses: docker/login-action@v3
@@ -59,11 +62,11 @@ jobs:
aarch64: aarch64:
runs-on: [ self-hosted, arm64 ] runs-on: [ self-hosted, arm64 ]
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Login to ${{ env.GITHUB_REGISTRY }} - name: Login to ${{ env.GITHUB_REGISTRY }}
uses: docker/login-action@v3 uses: docker/login-action@v3
@@ -99,12 +102,11 @@ jobs:
merge-manifest: merge-manifest:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
needs: [ amd64, aarch64 ] needs: [ amd64, aarch64 ]
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- uses: docker/setup-buildx-action@v3 - uses: docker/setup-buildx-action@v3

25
.github/workflows/coolify-realtime.yml vendored
View File

@@ -11,6 +11,10 @@ on:
- docker/coolify-realtime/package-lock.json - docker/coolify-realtime/package-lock.json
- docker/coolify-realtime/soketi-entrypoint.sh - docker/coolify-realtime/soketi-entrypoint.sh
permissions:
contents: read
packages: write
env: env:
GITHUB_REGISTRY: ghcr.io GITHUB_REGISTRY: ghcr.io
DOCKER_REGISTRY: docker.io DOCKER_REGISTRY: docker.io
@@ -19,11 +23,10 @@ env:
jobs: jobs:
amd64: amd64:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Login to ${{ env.GITHUB_REGISTRY }} - name: Login to ${{ env.GITHUB_REGISTRY }}
uses: docker/login-action@v3 uses: docker/login-action@v3
@@ -59,11 +62,10 @@ jobs:
aarch64: aarch64:
runs-on: [ self-hosted, arm64 ] runs-on: [ self-hosted, arm64 ]
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Login to ${{ env.GITHUB_REGISTRY }} - name: Login to ${{ env.GITHUB_REGISTRY }}
uses: docker/login-action@v3 uses: docker/login-action@v3
@@ -99,12 +101,11 @@ jobs:
merge-manifest: merge-manifest:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
needs: [ amd64, aarch64 ] needs: [ amd64, aarch64 ]
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- uses: docker/setup-buildx-action@v3 - uses: docker/setup-buildx-action@v3

14
.github/workflows/coolify-staging-build.yml vendored
View File

@@ -17,6 +17,10 @@ on:
- templates/** - templates/**
- CHANGELOG.md - CHANGELOG.md
permissions:
contents: read
packages: write
env: env:
GITHUB_REGISTRY: ghcr.io GITHUB_REGISTRY: ghcr.io
DOCKER_REGISTRY: docker.io DOCKER_REGISTRY: docker.io
@@ -34,11 +38,10 @@ jobs:
platform: linux/aarch64 platform: linux/aarch64
runner: ubuntu-24.04-arm runner: ubuntu-24.04-arm
runs-on: ${{ matrix.runner }} runs-on: ${{ matrix.runner }}
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v5 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Sanitize branch name for Docker tag - name: Sanitize branch name for Docker tag
id: sanitize id: sanitize
@@ -82,11 +85,10 @@ jobs:
merge-manifest: merge-manifest:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
needs: build-push needs: build-push
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v5 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Sanitize branch name for Docker tag - name: Sanitize branch name for Docker tag
id: sanitize id: sanitize

25
.github/workflows/coolify-testing-host.yml vendored
View File

@@ -7,6 +7,10 @@ on:
- .github/workflows/coolify-testing-host.yml - .github/workflows/coolify-testing-host.yml
- docker/testing-host/Dockerfile - docker/testing-host/Dockerfile
permissions:
contents: read
packages: write
env: env:
GITHUB_REGISTRY: ghcr.io GITHUB_REGISTRY: ghcr.io
DOCKER_REGISTRY: docker.io DOCKER_REGISTRY: docker.io
@@ -15,11 +19,10 @@ env:
jobs: jobs:
amd64: amd64:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Login to ${{ env.GITHUB_REGISTRY }} - name: Login to ${{ env.GITHUB_REGISTRY }}
uses: docker/login-action@v3 uses: docker/login-action@v3
@@ -50,11 +53,10 @@ jobs:
aarch64: aarch64:
runs-on: [ self-hosted, arm64 ] runs-on: [ self-hosted, arm64 ]
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- name: Login to ${{ env.GITHUB_REGISTRY }} - name: Login to ${{ env.GITHUB_REGISTRY }}
uses: docker/login-action@v3 uses: docker/login-action@v3
@@ -85,12 +87,11 @@ jobs:
merge-manifest: merge-manifest:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
needs: [ amd64, aarch64 ] needs: [ amd64, aarch64 ]
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v5
with:
persist-credentials: false
- uses: docker/setup-buildx-action@v3 - uses: docker/setup-buildx-action@v3

1
.github/workflows/generate-changelog.yml vendored
View File

@@ -16,6 +16,7 @@ jobs:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
persist-credentials: false
fetch-depth: 0 fetch-depth: 0
- name: Generate changelog - name: Generate changelog