From d3cb4115602b8d6d40e0e5a9748472173e8e6efc Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Fri, 12 Jul 2024 13:45:34 -0700 Subject: [PATCH 1/6] Harden default permissions of GH actions ( - Fixes #39 - ) --- .github/workflows/Labeler.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/Labeler.yml b/.github/workflows/Labeler.yml index 7377e4c..34eb240 100644 --- a/.github/workflows/Labeler.yml +++ b/.github/workflows/Labeler.yml @@ -5,7 +5,8 @@ on: branches: [ master, stable ] # Declare default permissions as none. -permissions: none +permissions: + contents: read jobs: triage: From bf8f7cd1ebabf385d43c10d5d6ec35a509c058c9 Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Fri, 12 Jul 2024 14:00:08 -0700 Subject: [PATCH 2/6] Harden default permissions of GH Labler action ( - Fixes #39 - ) --- .github/workflows/Labeler.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/Labeler.yml b/.github/workflows/Labeler.yml index 34eb240..118b87b 100644 --- a/.github/workflows/Labeler.yml +++ b/.github/workflows/Labeler.yml @@ -5,8 +5,7 @@ on: branches: [ master, stable ] # Declare default permissions as none. -permissions: - contents: read +permissions: {} jobs: triage: From 96b30659367e6541b6a8af907ed0af38d64e17fe Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Fri, 12 Jul 2024 14:27:54 -0700 Subject: [PATCH 3/6] Harden default permissions of GH Labler action ( - See #39 - ) --- .github/workflows/Tests.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/Tests.yml b/.github/workflows/Tests.yml index b7be6a8..cba85be 100644 --- a/.github/workflows/Tests.yml +++ b/.github/workflows/Tests.yml @@ -6,6 +6,24 @@ on: - stable tags: - v* + pull_request: + types: + - opened + - edited + - reopened + - ready_for_review + branches-ignore: + - '*-patc*' + pull_request_target: + types: + - opened + - edited + - reopened + - synchronize + - ready_for_review + branches: + - master + - stable # Declare default permissions as read only. permissions: read-all From 27fda62fdf1807b16404cd46ed664acfe1191b7d Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Fri, 12 Jul 2024 16:15:11 -0700 Subject: [PATCH 4/6] Bump version of GH checkout action ( - WIP #40 / WIP #44 - ) --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b3a68fc..5439c0f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -41,7 +41,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v4.1.7 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From f05f805765b385ae3271bdb4647eb0fe54eb73b9 Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Fri, 12 Jul 2024 16:19:04 -0700 Subject: [PATCH 5/6] Bump version of GH setup-pytho action ( - WIP #40 - ) --- .github/workflows/Tests.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/Tests.yml b/.github/workflows/Tests.yml index b7be6a8..a961877 100644 --- a/.github/workflows/Tests.yml +++ b/.github/workflows/Tests.yml @@ -21,7 +21,7 @@ jobs: LANG: "en_US.UTF-8" steps: - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@v5 with: python-version: "3.12" - name: Pre-Clean @@ -81,7 +81,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Setup Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - name: Setup dependencies @@ -139,7 +139,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Setup Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - name: Install dependencies for ${{ matrix.python-version }} @@ -186,7 +186,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Setup Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - name: Install dependencies for python ${{ matrix.python-version }} on ${{ matrix.os }} @@ -268,9 +268,9 @@ jobs: CODECLIMATE_REPO_TOKEN: ${{ secrets.CODECLIMATE_TOKEN }} CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Setup Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - name: Install dependencies for python ${{ matrix.python-version }} on ${{ matrix.os }} @@ -345,7 +345,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Setup Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: "3.10" - name: Install dependencies for python Linters @@ -391,7 +391,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Setup Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - name: Install dependencies for python ${{ matrix.python-version }} on ${{ matrix.os }} @@ -465,7 +465,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Setup Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: "3.10" - name: Install dependencies for Tox From bca55eb4de46b3f192e470ec7debe3bb721051df Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Fri, 12 Jul 2024 18:44:01 -0700 Subject: [PATCH 6/6] Simplify eager triggers of GH actions ( - Resolves #42 - ) --- .github/workflows/Tests.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/.github/workflows/Tests.yml b/.github/workflows/Tests.yml index 8895b41..de61e29 100644 --- a/.github/workflows/Tests.yml +++ b/.github/workflows/Tests.yml @@ -7,23 +7,12 @@ on: tags: - v* pull_request: - types: - - opened - - edited - - reopened - - ready_for_review - branches-ignore: - - '*-patc*' - pull_request_target: types: - opened - edited - reopened - synchronize - ready_for_review - branches: - - master - - stable # Declare default permissions as read only. permissions: read-all