chore(ci): harden GHA workflows with least-privilege permissions #4210
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tinygo tests | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - "**/*.md" | |
| - "LICENSE" | |
| pull_request: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - "**/*.md" | |
| - "LICENSE" | |
| permissions: {} | |
| concurrency: | |
| group: tinygo-${{ github.ref }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| jobs: | |
| test: | |
| strategy: | |
| matrix: | |
| go-version: [1.25.x] | |
| # tinygo-version is meant to stay aligned with the one used in corazawaf/coraza-proxy-wasm | |
| tinygo-version: [0.40.1] | |
| os: [ubuntu-latest] | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6 | |
| - name: Install Go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| cache: true | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Setup tinygo | |
| uses: acifani/setup-tinygo@db56321a62b9a67922bb9ac8f9d085e218807bb3 # v2 | |
| with: | |
| tinygo-version: ${{ matrix.tinygo-version }} | |
| - name: Cache TinyGo build | |
| uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5 | |
| with: | |
| path: | | |
| ~/.cache/tinygo | |
| key: ${{ runner.os }}-tinygo-${{ matrix.tinygo-version }}-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-tinygo-${{ matrix.tinygo-version }}- | |
| - name: Tests | |
| run: tinygo test -v -short ./internal/... | |
| - name: Tests memoize | |
| run: tinygo test -v -short -tags=memoize_builders ./internal/... |