diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fefd8f41a..14c7e5f09 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,9 @@ name: CI on: [push, pull_request] +permissions: + contents: read + jobs: test-ubuntu-latest: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index dc7413e59..02955f300 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,11 +6,16 @@ on: # run weekly new vulnerability was added to the database - cron: '0 0 * * 0' +permissions: + contents: read + jobs: analyze: name: Analyze runs-on: ubuntu-latest - if: github.event_name != 'schedule' || github.repository == 'redis/redis' + if: github.event_name != 'schedule' || github.repository == 'valkey-io/valkey' + permissions: + security-events: write strategy: fail-fast: false diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml new file mode 100644 index 000000000..d63ba6ab5 --- /dev/null +++ b/.github/workflows/coverity.yml @@ -0,0 +1,33 @@ +# Creates and uploads a Coverity build on a schedule +name: Coverity Scan +on: + schedule: + # Run once daily, since below 500k LOC can have 21 builds per week, per https://scan.coverity.com/faq#frequency + - cron: '0 0 * * *' + # Support manual execution + workflow_dispatch: +permissions: + contents: read +jobs: + coverity: + if: github.repository == 'valkey-io/valkey' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@main + - name: Download and extract the Coverity Build Tool + run: | + wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=valkey-io%2Fvalkey" -O cov-analysis-linux64.tar.gz + mkdir cov-analysis-linux64 + tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 + - name: Install Valkey dependencies + run: sudo apt install -y gcc procps libssl-dev + - name: Build with cov-build + run: cov-analysis-linux64/bin/cov-build --dir cov-int make + - name: Upload the result + run: | + tar czvf cov-int.tgz cov-int + curl \ + --form email=${{ secrets.COVERITY_SCAN_EMAIL }} \ + --form token=${{ secrets.COVERITY_SCAN_TOKEN }} \ + --form file=@cov-int.tgz \ + https://scan.coverity.com/builds?project=valkey-io%2Fvalkey diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml index 72b472a9e..8724d507b 100644 --- a/.github/workflows/daily.yml +++ b/.github/workflows/daily.yml @@ -28,6 +28,8 @@ on: description: 'git branch or sha to use' default: 'unstable' +permissions: + contents: read jobs: diff --git a/.github/workflows/external.yml b/.github/workflows/external.yml index a18cf0908..8111c5e6c 100644 --- a/.github/workflows/external.yml +++ b/.github/workflows/external.yml @@ -6,6 +6,9 @@ on: schedule: - cron: '0 0 * * *' +permissions: + contents: read + jobs: test-external-standalone: runs-on: ubuntu-latest @@ -29,7 +32,7 @@ jobs: if: ${{ failure() }} uses: actions/upload-artifact@v3 with: - name: test-external-server-log + name: test-external-standalone-log path: external-server.log test-external-cluster: @@ -81,5 +84,5 @@ jobs: if: ${{ failure() }} uses: actions/upload-artifact@v3 with: - name: test-external-server-log - path: external-server.log \ No newline at end of file + name: test-external-nodebug-log + path: external-server.log diff --git a/.github/workflows/reply-schemas-linter.yml b/.github/workflows/reply-schemas-linter.yml index 13fc8ab88..f48aa4e48 100644 --- a/.github/workflows/reply-schemas-linter.yml +++ b/.github/workflows/reply-schemas-linter.yml @@ -8,6 +8,9 @@ on: paths: - 'src/commands/*.json' +permissions: + contents: read + jobs: reply-schemas-linter: runs-on: ubuntu-latest diff --git a/.github/workflows/spell-check.yml b/.github/workflows/spell-check.yml index 533607412..b93909798 100644 --- a/.github/workflows/spell-check.yml +++ b/.github/workflows/spell-check.yml @@ -9,6 +9,9 @@ on: push: pull_request: +permissions: + contents: read + jobs: build: name: Spellcheck