Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(workflows): assign explicit permissions + pin 3rd party actions #25793

Merged
merged 2 commits into from
Jan 30, 2025
Merged

fix(workflows): assign explicit permissions + pin 3rd party actions #25793

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4e523ef
fix(workflows): assign explicit permissions
caugner Jan 28, 2025
acc15a3
fix(workflows): pin 3rd party actions
caugner Jan 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/close-incomplete-issues.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
close-issues-if-invalid:
runs-on: ubuntu-latest
steps:
- uses: queengooborg/[email protected]
- uses: queengooborg/invalid-issue-closer@d79a4ae7685cfab213be15f0e39fbd4533e3d822 # v1.5.4
id: spam-check
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -21,7 +21,7 @@ jobs:
This issue has been identified as spam and has been automatically closed and locked. Do not use this repository for posting spam.
normalize-newlines: true
body-is-blank: true
- uses: queengooborg/[email protected]
- uses: queengooborg/invalid-issue-closer@d79a4ae7685cfab213be15f0e39fbd4533e3d822 # v1.5.4
if: steps.spam-check.outputs.was-closed == 'false'
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/issue-regex-labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ on:
issues:
types: [opened]

permissions:
contents: read
issues: write

jobs:
issue-labeler:
runs-on: ubuntu-latest
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
needs: label-py-path
runs-on: ubuntu-latest
steps:
- uses: codelytv/pr-size-labeler@v1
- uses: codelytv/pr-size-labeler@1c3422395d899286d5ee2c809fd5aed264d5eb9b # v1.10.2
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
github_api_url: "https://api.github.com"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ping-other-repos.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
- name: Ping w3c/mdn-spec-links
# This is one of many possible repos we can ping. When adding other
# repos, you can follow this w3c/mdn-spec-links one as an example.
uses: peter-evans/repository-dispatch@v3
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
with:
token: ${{ secrets.SIDESHOWBARKER }}
repository: w3c/mdn-spec-links
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/pr-reviewdog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ on:
pull_request_target:
branches: ["main"]

permissions:
contents: read
pull-requests: write

jobs:
fix:
name: Fix
Expand Down Expand Up @@ -47,7 +51,7 @@ jobs:
name: diff

- name: Setup
uses: reviewdog/action-setup@v1
uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0
with:
reviewdog_version: latest

Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/release-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
branches:
- main

permissions:
contents: write
pull-requests: write

env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/update-browser-releases.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
npm run update-browser-releases -- --all >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
- name: Create Pull Request
uses: peter-evans/create-pull-request@v7
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
with:
token: ${{ secrets.GH_TOKEN }} # need the rights to create and edit PRs
commit-message: Update browser releases
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/update-mdn-urls.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
paths:
- "package-lock.json"

permissions:
contents: write
pull-requests: read

jobs:
update-mdn-urls:
if: github.repository == 'mdn/browser-compat-data' && github.event.pull_request.user.login == 'dependabot[bot]' && startsWith(github.head_ref, 'dependabot/npm_and_yarn/ddbeck/mdn-content-inventory-')
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/update-web-features.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
schedule:
- cron: "30 4 * * 1-5"

permissions:
contents: write
pull-requests: write

jobs:
update-web-features:
if: github.repository == 'mdn/browser-compat-data'
Expand Down Expand Up @@ -40,7 +44,7 @@ jobs:
echo "EOF" >> $GITHUB_ENV

- name: Create Pull Request
uses: peter-evans/create-pull-request@v7
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
with:
token: ${{ secrets.GH_TOKEN }} # need the rights to create and edit PRs
commit-message: Update web-features tags
Expand Down