Skip to content

Commit

Permalink
[StepSecurity] ci: Harden GitHub Actions (#13136)
Browse files Browse the repository at this point in the history
Signed-off-by: StepSecurity Bot <[email protected]>
step-security-bot authored Jan 31, 2025
1 parent b1eb1fd commit 0c1a3d9
Showing 6 changed files with 20 additions and 2 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/assign-reviewers.yml
Original file line number Diff line number Diff line change
@@ -12,7 +12,7 @@ jobs:
assign-reviewers:
runs-on: ubuntu-latest
steps:
- uses: trask/component-owners@main
- uses: trask/component-owners@02dfde3c03025c064cc6961975e28a42e81c394a # main
with:
# this repository is using this action to request doc review
assign-owners: false
3 changes: 3 additions & 0 deletions .github/workflows/label.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
name: Labeler
on: [pull_request_target]

permissions:
contents: read

jobs:
label:

5 changes: 5 additions & 0 deletions .github/workflows/prepare-patch-release.yml
Original file line number Diff line number Diff line change
@@ -2,8 +2,13 @@ name: Prepare patch release
on:
workflow_dispatch:

permissions:
contents: read

jobs:
prepare-patch-release:
permissions:
contents: write # for Git to git push
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
7 changes: 7 additions & 0 deletions .github/workflows/prepare-release-branch.yml
Original file line number Diff line number Diff line change
@@ -2,6 +2,9 @@ name: Prepare release branch
on:
workflow_dispatch:

permissions:
contents: read

jobs:
prereqs:
runs-on: ubuntu-latest
@@ -21,6 +24,8 @@ jobs:
fi
create-pull-request-against-release-branch:
permissions:
contents: write # for Git to git push
runs-on: ubuntu-latest
needs:
- prereqs
@@ -74,6 +79,8 @@ jobs:
--base $RELEASE_BRANCH_NAME
create-pull-request-against-main:
permissions:
contents: write # for Git to git push
runs-on: ubuntu-latest
needs:
- prereqs
3 changes: 3 additions & 0 deletions .github/workflows/publish-petclinic-benchmark-image.yml
Original file line number Diff line number Diff line change
@@ -7,6 +7,9 @@ on:
- main
workflow_dispatch:

permissions:
contents: read

jobs:
publish:
runs-on: ubuntu-latest
2 changes: 1 addition & 1 deletion .github/workflows/reusable-markdown-link-check.yml
Original file line number Diff line number Diff line change
@@ -12,7 +12,7 @@ jobs:
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- uses: lycheeverse/lychee-action@v2
- uses: lycheeverse/lychee-action@f796c8b7d468feb9b8c0a46da3fac0af6874d374 # v2.2.0
with:
# excluding links to pull requests and issues is done for performance
args: >

0 comments on commit 0c1a3d9

Please sign in to comment.