Skip to content

Commit e286e5f

Browse files
authored
fix(workflows): assign explicit permissions + pin 3rd party actions (#25793)
* fix(workflows): assign explicit permissions * fix(workflows): pin 3rd party actions
1 parent f5a9298 commit e286e5f

9 files changed

+27
-7
lines changed

.github/workflows/close-incomplete-issues.yml

+2-2
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ jobs:
1111
close-issues-if-invalid:
1212
runs-on: ubuntu-latest
1313
steps:
14-
- uses: queengooborg/[email protected]
14+
- uses: queengooborg/invalid-issue-closer@d79a4ae7685cfab213be15f0e39fbd4533e3d822 # v1.5.4
1515
id: spam-check
1616
with:
1717
repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -21,7 +21,7 @@ jobs:
2121
This issue has been identified as spam and has been automatically closed and locked. Do not use this repository for posting spam.
2222
normalize-newlines: true
2323
body-is-blank: true
24-
- uses: queengooborg/[email protected]
24+
- uses: queengooborg/invalid-issue-closer@d79a4ae7685cfab213be15f0e39fbd4533e3d822 # v1.5.4
2525
if: steps.spam-check.outputs.was-closed == 'false'
2626
with:
2727
repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/issue-regex-labeler.yml

+4
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ on:
44
issues:
55
types: [opened]
66

7+
permissions:
8+
contents: read
9+
issues: write
10+
711
jobs:
812
issue-labeler:
913
runs-on: ubuntu-latest

.github/workflows/labeler.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ jobs:
2121
needs: label-py-path
2222
runs-on: ubuntu-latest
2323
steps:
24-
- uses: codelytv/pr-size-labeler@v1
24+
- uses: codelytv/pr-size-labeler@1c3422395d899286d5ee2c809fd5aed264d5eb9b # v1.10.2
2525
with:
2626
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2727
github_api_url: "https://api.github.com"

.github/workflows/ping-other-repos.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ jobs:
2727
- name: Ping w3c/mdn-spec-links
2828
# This is one of many possible repos we can ping. When adding other
2929
# repos, you can follow this w3c/mdn-spec-links one as an example.
30-
uses: peter-evans/repository-dispatch@v3
30+
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
3131
with:
3232
token: ${{ secrets.SIDESHOWBARKER }}
3333
repository: w3c/mdn-spec-links

.github/workflows/pr-reviewdog.yml

+5-1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ on:
44
pull_request_target:
55
branches: ["main"]
66

7+
permissions:
8+
contents: read
9+
pull-requests: write
10+
711
jobs:
812
fix:
913
name: Fix
@@ -47,7 +51,7 @@ jobs:
4751
name: diff
4852

4953
- name: Setup
50-
uses: reviewdog/action-setup@v1
54+
uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0
5155
with:
5256
reviewdog_version: latest
5357

.github/workflows/release-pr.yml

+4
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,10 @@ on:
66
branches:
77
- main
88

9+
permissions:
10+
contents: write
11+
pull-requests: write
12+
913
env:
1014
GH_TOKEN: ${{ secrets.GH_TOKEN }}
1115
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

.github/workflows/update-browser-releases.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434
npm run update-browser-releases -- --all >> $GITHUB_ENV
3535
echo "EOF" >> $GITHUB_ENV
3636
- name: Create Pull Request
37-
uses: peter-evans/create-pull-request@v7
37+
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
3838
with:
3939
token: ${{ secrets.GH_TOKEN }} # need the rights to create and edit PRs
4040
commit-message: Update browser releases

.github/workflows/update-mdn-urls.yml

+4
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,10 @@ on:
55
paths:
66
- "package-lock.json"
77

8+
permissions:
9+
contents: write
10+
pull-requests: read
11+
812
jobs:
913
update-mdn-urls:
1014
if: github.repository == 'mdn/browser-compat-data' && github.event.pull_request.user.login == 'dependabot[bot]' && startsWith(github.head_ref, 'dependabot/npm_and_yarn/ddbeck/mdn-content-inventory-')

.github/workflows/update-web-features.yml

+5-1
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,10 @@ on:
66
schedule:
77
- cron: "30 4 * * 1-5"
88

9+
permissions:
10+
contents: write
11+
pull-requests: write
12+
913
jobs:
1014
update-web-features:
1115
if: github.repository == 'mdn/browser-compat-data'
@@ -40,7 +44,7 @@ jobs:
4044
echo "EOF" >> $GITHUB_ENV
4145
4246
- name: Create Pull Request
43-
uses: peter-evans/create-pull-request@v7
47+
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
4448
with:
4549
token: ${{ secrets.GH_TOKEN }} # need the rights to create and edit PRs
4650
commit-message: Update web-features tags

0 commit comments

Comments
 (0)