diff --git a/.github/workflows/ast-cli-team-review.yml b/.github/workflows/ast-cli-team-review.yml index a861b71..6f93793 100644 --- a/.github/workflows/ast-cli-team-review.yml +++ b/.github/workflows/ast-cli-team-review.yml @@ -11,11 +11,11 @@ permissions: jobs: add-assignee-and-reviewers: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 if: ${{ github.event.pull_request.user.type != 'Bot' }} steps: - name: Set up GitHub CLI - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: version: latest diff --git a/.github/workflows/auto-merge-pr.yml b/.github/workflows/auto-merge-pr.yml index 9b126e9..d215fd2 100644 --- a/.github/workflows/auto-merge-pr.yml +++ b/.github/workflows/auto-merge-pr.yml @@ -6,7 +6,7 @@ permissions: jobs: dependabot-merge: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 if: contains(github.head_ref, 'feature/update_cli') steps: - name: Enable auto-merge for Dependabot PRs diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 96a76f6..4e1417e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,9 +1,12 @@ name: AST Javascript wrapper CI on: [pull_request] +permissions: + contents: read + jobs: integration-tests: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4 with: diff --git a/.github/workflows/cx-one-scan.yaml b/.github/workflows/cx-one-scan.yaml index 674720f..cc66313 100644 --- a/.github/workflows/cx-one-scan.yaml +++ b/.github/workflows/cx-one-scan.yaml @@ -11,7 +11,7 @@ on: jobs: cx-one-scan: name: cx-one-scan - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/delete-packages-and-releases.yml b/.github/workflows/delete-packages-and-releases.yml index 9c422ae..8156e3b 100644 --- a/.github/workflows/delete-packages-and-releases.yml +++ b/.github/workflows/delete-packages-and-releases.yml @@ -21,7 +21,7 @@ permissions: jobs: delete: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - name: Delete npm packages diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index e466ac0..6ff6961 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -6,7 +6,7 @@ permissions: jobs: dependabot-merge: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 if: ${{ github.actor == 'dependabot[bot]' }} steps: - name: Dependabot metadata diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9d698ac..28e1525 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,7 +47,7 @@ jobs: secrets: inherit if: inputs.dev == true release: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 env: GITHUB_TOKEN: ${{ secrets.OR_GITHUB_TOKEN }} BRANCH_NAME: npm-version-patch @@ -57,7 +57,7 @@ jobs: steps: # CHECKOUT PROJECT - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 lfs: true # Ensure LFS files are checked out @@ -68,7 +68,7 @@ jobs: git config user.email github-actions@github.com # SETUP NODE - - uses: actions/setup-node@v4.0.2 + - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: node-version: 22.11.0 registry-url: https://npm.pkg.github.com/ diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml index 5c28732..7ddbcd4 100644 --- a/.github/workflows/update-cli.yml +++ b/.github/workflows/update-cli.yml @@ -4,11 +4,14 @@ on: repository_dispatch: types: [cli-version-update] +permissions: + contents: read + jobs: update-checkmarx-cli: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: lfs: true