Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Define permissions in workflows and update actions #531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 29, 2025
Merged

Define permissions in workflows and update actions #531

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/actions/install-dependencies/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ description: 'Set up node and install dependencies'
runs:
using: 'composite'
steps:
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed Dependabot missed this one. I can't recall if there was an issue with nested actions before, but did you want a PR to add the extra job?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that something we can configure with Dependabot or a feature gap?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I tried it before with a different directory value, but I don't remember if there was an issue https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot#enabling-dependabot-version-updates-for-actions.
I'll send something over, but don't hold this up on my part. I think you'll see it in the Insights>Dependancies tab after if it "works"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened #532

with:
node-version: '20.x'
cache: npm
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/check-dist.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,15 @@ on:
pull_request:
workflow_dispatch:

permissions:
contents: read

jobs:
check-dist:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4

- uses: ./.github/actions/install-dependencies

Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,14 @@ on:
pull_request:
branches: [main]

permissions:
contents: read

jobs:
ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: ./.github/actions/install-dependencies
- run: npm run style:check
- run: npm test
8 changes: 4 additions & 4 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,11 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -56,7 +56,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@v3

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
Expand All @@ -69,4 +69,4 @@ jobs:
# ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@v3
17 changes: 10 additions & 7 deletions .github/workflows/integration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,15 @@ on:
pull_request:
branches: [main]

permissions:
contents: read

jobs:
test-return:
name: 'Integration test: return'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- id: output-set
uses: ./
with:
Expand All @@ -31,7 +34,7 @@ jobs:
name: 'Integration test: relative-path require'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- id: relative-require
uses: ./
with:
Expand All @@ -49,7 +52,7 @@ jobs:
name: 'Integration test: npm package require'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: ./.github/actions/install-dependencies
- id: npm-require
uses: ./
Expand All @@ -69,7 +72,7 @@ jobs:
name: 'Integration test: GraphQL previews option'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: ./.github/actions/install-dependencies
- id: previews-default
name: Default previews not set
Expand Down Expand Up @@ -122,7 +125,7 @@ jobs:
name: 'Integration test: user-agent option'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: ./.github/actions/install-dependencies
- id: user-agent-default
name: Default user-agent not set
Expand Down Expand Up @@ -179,7 +182,7 @@ jobs:
name: "Integration test: debug option (runner.debug mode ${{ matrix.environment && 'enabled' || 'disabled' }})"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: ./.github/actions/install-dependencies
- id: debug-default
name: Default debug not set
Expand Down Expand Up @@ -253,7 +256,7 @@ jobs:
name: 'Integration test: base-url option'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: ./.github/actions/install-dependencies

- id: base-url-default
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/licensed.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,15 @@ on:
branches:
- main

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
name: Check licenses
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
fetch-depth: 0 # prefer to use a full fetch for licensed workflows
# https://github.com/jonabc/setup-licensed/releases/tag/v1.1.1
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publish-immutable-actions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,4 @@ jobs:
uses: actions/checkout@v4
- name: Publish
id: publish
uses: actions/[email protected].3
uses: actions/[email protected].4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a typo in the current string that Dependabot fixed in its PR

Suggested change
uses: actions/publish-immutable-action@0.0.4
uses: actions/publish-immutable-action@v0.0.4

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is actually a feature of immutable actions, it will be available more broadly soon - github/roadmap#592

With semantic versioning of actions, the v is optional.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, just noticed because VSCode also complains about the missing v, since it tries to resolve a tag that doesn't exist (without the v)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! I'll pass that along to the team

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi

12 changes: 8 additions & 4 deletions .github/workflows/pull-request-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,15 @@ on:
branches: [main]
types: [opened, synchronize]

permissions:
contents: read
pull-requests: write

jobs:
pull-request-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: ./
with:
script: |
Expand All @@ -20,9 +24,9 @@ jobs:
issue_number: context.payload.number,
})

// Find any comment already made by the bot.
const botComment = comments.find(comment => comment.user.id === 41898282)
const commentBody = "Hello from actions/github-script! (${{ github.sha }})"
// Find any comment already made by the bot.
const botComment = comments.find(comment => comment.user.id === 41898282)
const commentBody = "Hello from actions/github-script! (${{ github.sha }})"

if (context.payload.pull_request.head.repo.full_name !== 'actions/github-script') {
console.log('Not attempting to write comment on PR from fork');
Expand Down
31 changes: 0 additions & 31 deletions .github/workflows/stale.yml
View file
Open in desktop

This file was deleted.

10 changes: 5 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -305,7 +305,7 @@ jobs:
echo-input:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/github-script@v7
with:
script: |
Expand Down Expand Up @@ -343,7 +343,7 @@ jobs:
echo-input:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/github-script@v7
env:
SHA: '${{env.parentSHA}}'
Expand Down Expand Up @@ -381,8 +381,8 @@ jobs:
echo-input:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20.x'
- run: npm ci
Expand Down Expand Up @@ -417,7 +417,7 @@ jobs:
print-stuff:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/github-script@v7
with:
script: |
Expand Down
Loading