| Age | Commit message (Collapse) | Author |
|---|
|
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.13.2 to 2.13.3.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/95d9a5deda9de15063e7595e9719c11c38c90ae2...df199fb7be9f65074067a9eb93f12bb4c5547cf2)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.13.3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
|
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 2.1.4 to 2.2.0.
- [Release notes](https://github.com/actions/create-github-app-token/releases)
- [Commits](https://github.com/actions/create-github-app-token/compare/67018539274d69449ef7c02e8e71183d1719ab42...7e473efe3cb98aa54f8d4bac15400b15fad77d94)
---
updated-dependencies:
- dependency-name: actions/create-github-app-token
dependency-version: 2.2.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
|
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
|
There is no inherent security vulnerability in the workflow, but there were
certain practices that increased latent risk. In this commit, we:
- Explicitly bind app token for each step that needs it, instead of setting it for
all steps after "Store app token"
- Refactor "classify" step, to not rely on files passed around, and instead uses
only awk script.
- Remove all instances of template injection within `run` scripts. There was nothing
dangerous, but the practice is unsafe.
- Sanitize all unwanted characters from PR plugin and theme names.
References: W2M1-06 W2M1-07
|
|
|
|
|
|
|
|
See [1] for the reference of value field (ProjectV2FieldValue type),
and [2] for sample application code.
[1] https://docs.github.com/en/graphql/reference/input-objects#projectv2fieldvalue
[2] https://docs.github.com/en/enterprise-cloud@latest/issues/planning-and-tracking-with-projects/automating-your-project/automating-projects-using-actions#example-workflow-authenticating-with-a-github-app
|
|
|
|
* build: harden main.yml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>
* build: harden project.yml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>
* Update project.yml
The permissions are not necessary, because a separate token is used `GITHUB_TOKEN: ${{ secrets.PROJECT_TOKEN }}`
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
