Restrict push CI to main, fix permissions (#363)

This patch makes two primary changes to the CI config. It restricts the CI running on push events to only run on the main branch. This prevents the CI from running twice on PRs from branches in the main repository, which are needed for stacked PRs. Additionally, this PR sets the permissions at the top of the file, which is a general best practice for Github workflows for security reasons. Additionally, bump a couple of the actions that were using deprecated NodeJS versions so we do not get the warning anymore.
google · Sep 16, 2024 · 026173d · 026173d
1 parent 7038c8b
commit 026173d
Showing 1 changed file with 13 additions and 5 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -2,13 +2,21 @@
 
 name: MLGO CI
 
-on: [push, repository_dispatch, pull_request]
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - 'main'
+  repository_dispatch:
+  pull_request:
 
 jobs:
   LicenseCheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - run: ./check-license.sh
   Envvars:
     runs-on: ubuntu-latest
@@ -46,17 +54,17 @@ jobs:
           - task: Test
             cmd: pytest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Install Python With Cached pip Packages
         if: needs.Envvars.outputs.do_cache == '1'
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
           cache: 'pipenv'
           cache-dependency-path: Pipfile.lock
       - name: Install Python, no cache
         if: needs.Envvars.outputs.do_cache == '0'
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install Pipenv