Pin version of the action and no longer persist credentials.

dlemstra · dlemstra · commit 1a01cfb01518 · 2025-11-06T22:25:53.000+01:00
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: build/linux-x64/install.dependencies.sh
@@ -53,6 +55,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: build/linux-musl-x64/install.dependencies.sh
@@ -83,6 +87,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: build/linux-arm64/install.dependencies.sh
@@ -115,6 +121,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: build/macos-x64/install.dependencies.sh
@@ -133,12 +141,14 @@ jobs:
         run: build/shared/test.Magick.NET.sh x64
 
   macos_arm64:
-    name: 'MacOS (Q8/Q16/Q16-HDRI, arm64)'
+    name: MacOS (Q8/Q16/Q16-HDRI, arm64)
     runs-on: macos-14
 
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: build/macos-arm64/install.dependencies.sh
@@ -184,6 +194,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-tags: true
+          persist-credentials: false
 
       - name: Install dependencies
         run: ./install.dependencies.cmd
@@ -235,48 +246,49 @@ jobs:
         platformName: [arm64]
 
     steps:
-    - name: Checkout
-      uses: actions/checkout@v5
-      with:
-        fetch-tags: true
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-tags: true
+          persist-credentials: false
 
-    - name: Install dependencies
-      run: ./install.dependencies.cmd
-      working-directory: build/windows
+      - name: Install dependencies
+        run: ./install.dependencies.cmd
+        working-directory: build/windows
 
-    - name: Create nuget.config
-      run: ./create-nuget-config.cmd "dlemstra" "${{ secrets.GITHUB_TOKEN }}"
-      working-directory: src/Magick.Native
+      - name: Create nuget.config
+        run: ./create-nuget-config.cmd "dlemstra" "${{ secrets.GITHUB_TOKEN }}"
+        working-directory: src/Magick.Native
 
-    - name: Install Magick.Native
-      run: ./install.cmd
-      working-directory: src/Magick.Native
+      - name: Install Magick.Native
+        run: ./install.cmd
+        working-directory: src/Magick.Native
 
-    # - name: Build Magick.NET (Test)
-    #   run: ./build.Magick.NET.cmd ${{ matrix.quantumName }} "${{ matrix.platformName }}" Test
-    #   working-directory: build/windows
+      # - name: Build Magick.NET (Test)
+      #   run: ./build.Magick.NET.cmd ${{ matrix.quantumName }} "${{ matrix.platformName }}" Test
+      #   working-directory: build/windows
 
-    # - name: Test Magick.NET
-    #   run: ./test.Magick.NET.cmd ${{ matrix.quantumName }} "${{ matrix.platformName }}"
-    #   working-directory: build/windows
+      # - name: Test Magick.NET
+      #   run: ./test.Magick.NET.cmd ${{ matrix.quantumName }} "${{ matrix.platformName }}"
+      #   working-directory: build/windows
 
-    - name: Build Magick.NET (Release)
-      run: ./build.Magick.NET.cmd ${{ matrix.quantumName }} "${{ matrix.platformName }}" Release
-      working-directory: build/windows
+      - name: Build Magick.NET (Release)
+        run: ./build.Magick.NET.cmd ${{ matrix.quantumName }} "${{ matrix.platformName }}" Release
+        working-directory: build/windows
 
-    - name: Set NuGet version
-      run: ./set.version.ps1
-      working-directory: publish
+      - name: Set NuGet version
+        run: ./set.version.ps1
+        working-directory: publish
 
-    - name: Create NuGet package
-      run: ./publish.cmd ${{ matrix.quantumName }} "${{ matrix.platformName }}"
-      working-directory: publish
+      - name: Create NuGet package
+        run: ./publish.cmd ${{ matrix.quantumName }} "${{ matrix.platformName }}"
+        working-directory: publish
 
-    - name: Upload library
-      uses: actions/upload-artifact@v5
-      with:
-        name: Magick.NET-${{ matrix.quantumName }}-${{ matrix.platformName }}
-        path: publish/output
+      - name: Upload library
+        uses: actions/upload-artifact@v5
+        with:
+          name: Magick.NET-${{ matrix.quantumName }}-${{ matrix.platformName }}
+          path: publish/output
 
   libraries:
     name: Library
@@ -292,6 +304,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-tags: true
+          persist-credentials: false
 
       - name: Install dependencies
         run: ./install.dependencies.cmd
@@ -348,7 +361,7 @@ jobs:
         run: dotnet tool install --global sign --prerelease
 
       - name: Azure CLI login with federated credential
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
