From 19e58d85259764f164c9e2f299847c1742cca11d Mon Sep 17 00:00:00 2001 From: Josh Gross Date: Tue, 28 Jan 2025 16:50:07 -0500 Subject: [PATCH] Define `permissions` in workflows and update actions --- .../actions/install-dependencies/action.yml | 2 +- .github/workflows/check-dist.yml | 5 ++- .github/workflows/ci.yml | 5 ++- .github/workflows/codeql-analysis.yml | 8 ++--- .github/workflows/integration.yml | 17 +++++----- .github/workflows/licensed.yml | 5 ++- .../workflows/publish-immutable-actions.yml | 2 +- .github/workflows/pull-request-test.yml | 12 ++++--- .github/workflows/stale.yml | 31 ------------------- README.md | 10 +++--- 10 files changed, 41 insertions(+), 56 deletions(-) delete mode 100644 .github/workflows/stale.yml diff --git a/.github/actions/install-dependencies/action.yml b/.github/actions/install-dependencies/action.yml index c5f23930e..362c93255 100644 --- a/.github/actions/install-dependencies/action.yml +++ b/.github/actions/install-dependencies/action.yml @@ -3,7 +3,7 @@ description: 'Set up node and install dependencies' runs: using: 'composite' steps: - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: node-version: '20.x' cache: npm diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml index ce3b9f36c..6a10549b5 100644 --- a/.github/workflows/check-dist.yml +++ b/.github/workflows/check-dist.yml @@ -13,12 +13,15 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + jobs: check-dist: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ./.github/actions/install-dependencies diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dd2216d96..f5619e9b2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,11 +6,14 @@ on: pull_request: branches: [main] +permissions: + contents: read + jobs: ci: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ./.github/actions/install-dependencies - run: npm run style:check - run: npm test diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f08e12701..fd0e0b123 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,11 +38,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +56,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -69,4 +69,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 720dca114..346a57f2e 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -6,12 +6,15 @@ on: pull_request: branches: [main] +permissions: + contents: read + jobs: test-return: name: 'Integration test: return' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: output-set uses: ./ with: @@ -31,7 +34,7 @@ jobs: name: 'Integration test: relative-path require' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: relative-require uses: ./ with: @@ -49,7 +52,7 @@ jobs: name: 'Integration test: npm package require' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ./.github/actions/install-dependencies - id: npm-require uses: ./ @@ -69,7 +72,7 @@ jobs: name: 'Integration test: GraphQL previews option' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ./.github/actions/install-dependencies - id: previews-default name: Default previews not set @@ -122,7 +125,7 @@ jobs: name: 'Integration test: user-agent option' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ./.github/actions/install-dependencies - id: user-agent-default name: Default user-agent not set @@ -179,7 +182,7 @@ jobs: name: "Integration test: debug option (runner.debug mode ${{ matrix.environment && 'enabled' || 'disabled' }})" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ./.github/actions/install-dependencies - id: debug-default name: Default debug not set @@ -253,7 +256,7 @@ jobs: name: 'Integration test: base-url option' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ./.github/actions/install-dependencies - id: base-url-default diff --git a/.github/workflows/licensed.yml b/.github/workflows/licensed.yml index 7afc7a306..98fd44a6f 100644 --- a/.github/workflows/licensed.yml +++ b/.github/workflows/licensed.yml @@ -8,12 +8,15 @@ on: branches: - main +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest name: Check licenses steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 # prefer to use a full fetch for licensed workflows # https://github.com/jonabc/setup-licensed/releases/tag/v1.1.1 diff --git a/.github/workflows/publish-immutable-actions.yml b/.github/workflows/publish-immutable-actions.yml index 87c020728..3a60acbf3 100644 --- a/.github/workflows/publish-immutable-actions.yml +++ b/.github/workflows/publish-immutable-actions.yml @@ -17,4 +17,4 @@ jobs: uses: actions/checkout@v4 - name: Publish id: publish - uses: actions/publish-immutable-action@0.0.3 + uses: actions/publish-immutable-action@0.0.4 diff --git a/.github/workflows/pull-request-test.yml b/.github/workflows/pull-request-test.yml index fb87ec3a9..3dec9d5a8 100644 --- a/.github/workflows/pull-request-test.yml +++ b/.github/workflows/pull-request-test.yml @@ -5,11 +5,15 @@ on: branches: [main] types: [opened, synchronize] +permissions: + contents: read + pull-requests: write + jobs: pull-request-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ./ with: script: | @@ -20,9 +24,9 @@ jobs: issue_number: context.payload.number, }) - // Find any comment already made by the bot. - const botComment = comments.find(comment => comment.user.id === 41898282) - const commentBody = "Hello from actions/github-script! (${{ github.sha }})" + // Find any comment already made by the bot. + const botComment = comments.find(comment => comment.user.id === 41898282) + const commentBody = "Hello from actions/github-script! (${{ github.sha }})" if (context.payload.pull_request.head.repo.full_name !== 'actions/github-script') { console.log('Not attempting to write comment on PR from fork'); diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml deleted file mode 100644 index 7a3b654ac..000000000 --- a/.github/workflows/stale.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Stale Issues & PRs - -on: - schedule: - - cron: '0 0 * * *' - workflow_dispatch: - -jobs: - mark_stale: - name: Mark issues and PRs as stale - runs-on: ubuntu-latest - steps: - - uses: actions/stale@v3 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - exempt-issue-labels: Not Stale - exempt-pr-labels: Not Stale - stale-issue-message: > - This issue is stale because it has been open for 60 days with no - activity. Remove the "Stale" label or comment on the issue, or it - will be closed in 7 days. - stale-pr-message: > - This pull request is stale because it has been open for 60 days - with no activity. Remove the "Stale" label or comment on the pull - request, or it will be closed in 7 days. - close-issue-message: > - This issue has been marked as stale and closed due to no activity - on it. - close-pr-message: > - This pull request has been marked as stale and closed due to no - activity on it. diff --git a/README.md b/README.md index 7e244d07a..347c75ea7 100644 --- a/README.md +++ b/README.md @@ -305,7 +305,7 @@ jobs: echo-input: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/github-script@v7 with: script: | @@ -343,7 +343,7 @@ jobs: echo-input: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/github-script@v7 env: SHA: '${{env.parentSHA}}' @@ -381,8 +381,8 @@ jobs: echo-input: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 with: node-version: '20.x' - run: npm ci @@ -417,7 +417,7 @@ jobs: print-stuff: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/github-script@v7 with: script: |