Update GitHub Actions configs

Flamefire · Flow86 · commit bab98a431651 · 2026-04-08T20:24:14.000+02:00
- Pin used actions
- Add explicit permissions
- Update actions where required &amp; possible for Node 20 deprecation
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,8 +1,10 @@
-# Copyright (C) 2005 - 2025 Settlers Freaks <sf-team at siedler25.org>
+# Copyright (C) 2005 - 2026 Settlers Freaks <sf-team at siedler25.org>
 #
 # SPDX-License-Identifier: GPL-2.0-or-later
 
 name: Create Release
+permissions:
+  contents: write
 
 on:
   push:
@@ -18,7 +20,7 @@ jobs:
     name: Create Release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Extract tag name
         id: get_tag
         run: echo "::set-output name=tag::${GITHUB_REF#refs/tags/}"
@@ -60,34 +62,19 @@ jobs:
           fi
       - name: Create Release
         id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
+          token: ${{ secrets.GITHUB_TOKEN }}
           tag_name: ${{ github.ref }}
-          release_name: Release ${{ github.ref }}
+          name: Release ${{ github.ref }}
           body: |
             Return To The Roots (Settlers II(R) Clone)
             ${{ env.TAG_MSG }}
             - ${{steps.filenames.outputs.src}} contains all source files including the submodules
             - ${{steps.filenames.outputs.devTools}} contains optional binaries for development. Extract over the source folder if required
           draft: false
           prerelease: false
-      - name: Upload source distribution
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./${{steps.filenames.outputs.src}}
-          asset_name: ${{steps.filenames.outputs.src}}
-          asset_content_type: application/tar.gz
-      - name: Upload Dev Tools
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./${{steps.filenames.outputs.devTools}}
-          asset_name: ${{steps.filenames.outputs.devTools}}
-          asset_content_type: application/tar.gz
+          files: |
+            ${{steps.filenames.outputs.src}}
+            ${{steps.filenames.outputs.devTools}}
+          fail_on_unmatched_files: true
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -1,8 +1,10 @@
-# Copyright (C) 2005 - 2025 Settlers Freaks <sf-team at siedler25.org>
+# Copyright (C) 2005 - 2026 Settlers Freaks <sf-team at siedler25.org>
 #
 # SPDX-License-Identifier: GPL-2.0-or-later
 
 name: Static analysis
+permissions:
+  contents: write
 
 on:
   push:
@@ -16,12 +18,12 @@ jobs:
   StyleAndFormatting:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - run: git submodule update --init
       - name: Validation
         run: tools/ci/staticValidation.sh "$GITHUB_WORKSPACE"
       - name: Formatting
-        uses: DoozyX/clang-format-lint-action@v0.18.2
+        uses: DoozyX/clang-format-lint-action@c71d0bf4e21876ebec3e5647491186f8797fde31 # v0.18.2
         with:
           source: "extras libs tests external/libendian external/liblobby external/libsiedler2 external/libutil external/mygettext external/s25edit external/s25update"
           clangFormatVersion: 10
@@ -32,7 +34,7 @@ jobs:
                  -prune -false -o \( -name '*.hpp' -or -name '*.h' \) \
                  -print0 | xargs -0 -n1 tools/ci/checkIncludeGuards.sh
       - name: Lint markdown files
-        uses: avto-dev/markdown-lint@v1
+        uses: avto-dev/markdown-lint@04d43ee9191307b50935a753da3b775ab695eceb # v1.5.0
         with:
           ignore: external data/RTTR/MAPS .
       - name: Check licensing
@@ -47,7 +49,7 @@ jobs:
       ADDITIONAL_CMAKE_FLAGS: ""
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - run: git submodule update --init
       - name: Install dependencies
         run: |
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
@@ -1,8 +1,10 @@
-# Copyright (C) 2005 - 2025 Settlers Freaks <sf-team at siedler25.org>
+# Copyright (C) 2005 - 2026 Settlers Freaks <sf-team at siedler25.org>
 #
 # SPDX-License-Identifier: GPL-2.0-or-later
 
 name: Unit tests
+permissions:
+  contents: write
 
 on:
   push:
@@ -37,11 +39,11 @@ jobs:
           - { os: windows-2022, generator: Visual Studio 17 2022, type: Release, platform: x64}
     runs-on: ${{matrix.os}}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: true
       - name: Install boost
-        uses: MarkusJx/install-boost@6d8df42f57de83c5b326b5b83e7b35d650030103
+        uses: MarkusJx/install-boost@8ba8b2fac59ef3d91a838bb4aa53ceabd33d1aa3  # v2.5.1
         id: install-boost
         with:
           boost_version: ${{env.BOOST_VERSION}}
@@ -139,18 +141,18 @@ jobs:
           echo "GCOV=$GCOV" >> $GITHUB_ENV
 
       # Coverage collection requires access to history to find merge-base
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: "!matrix.coverage"
         with:
           submodules: true
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: matrix.coverage
         with:
           submodules: true
           fetch-depth: 0 # Full history
 
       - name: Cache dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: ${{env.DEPS_DIR}}
           key: ${{matrix.os}}-${{env.BOOST_VERSION}}
@@ -182,7 +184,7 @@ jobs:
           fi
 
       - name: Setup CCache
-        uses: hendrikmuhs/ccache-action@v1
+        uses: hendrikmuhs/ccache-action@33522472633dbd32578e909b315f5ee43ba878ce # v1.2.22
         with:
           key: ${{matrix.os}}-${{matrix.compiler}}-${{matrix.type}}-${{matrix.boost}}
           max-size: 200M
@@ -218,7 +220,7 @@ jobs:
 
       - name: Upload coverage (Coveralls)
         if: matrix.coverage && success()
-        uses: coverallsapp/github-action@master
+        uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           path-to-lcov: srccov.info
