Inicio Explorar Ayuda
Iniciar sesión
mirrors
/
jellyfin
espejo de https://github.com/jellyfin/jellyfin
2
0
Fork 0
Archivos Incidencias 0 Wiki
Explorar el Código

Harden GitHub Workflows security (#8664)

Alex hace 2 años
padre
db2c0d4c91
commit
e2cea6121a
Se han modificado 4 ficheros con 11 adiciones y 0 borrados
Dividir vista Mostrar estadísticas de diff
  1. 1 0
      .github/workflows/automation.yml
  2. 4 0
      .github/workflows/commands.yml
  3. 5 0
      .github/workflows/openapi.yml
  4. 1 0
      .github/workflows/repo-stale.yaml

+ 1 - 0
.github/workflows/automation.yml
Ver fichero 

@@ -7,6 +7,7 @@ on:
 
   pull_request_target:
 
   issue_comment:
 
 
+permissions: {}
 
 jobs:
 
   label:
 
     name: Labeling

+ 4 - 0
.github/workflows/commands.yml
Ver fichero 

@@ -9,6 +9,7 @@ on:
 
       - labeled
 
       - synchronize
 
 
+permissions: {}
 
 jobs:
 
   rebase:
 
     name: Rebase
 
@@ -34,6 +35,9 @@ jobs:
 
           GITHUB_TOKEN: ${{ secrets.JF_BOT_TOKEN }}
 
 
   check-backport:
 
+    permissions:
 
+      contents: read
 
+
 
     name: Check Backport
 
     if: ${{ ( github.event.issue.pull_request && contains(github.event.comment.body, '@jellyfin-bot check backport') ) || github.event.label.name == 'stable backport' || contains(github.event.pull_request.labels.*.name, 'stable backport' ) }}
 
     runs-on: ubuntu-latest

+ 5 - 0
.github/workflows/openapi.yml
Ver fichero 

@@ -5,6 +5,8 @@ on:
 
       - master
 
   pull_request_target:
 
 
+permissions: {}
 
+
 
 jobs:
 
   openapi-head:
 
     name: OpenAPI - HEAD
 
@@ -55,6 +57,9 @@ jobs:
 
           path: tests/Jellyfin.Server.Integration.Tests/bin/Release/net6.0/openapi.json
 
 
   openapi-diff:
 
+    permissions:
 
+      pull-requests: write  #  to create or update comment (peter-evans/create-or-update-comment)
 
+
 
     name: OpenAPI - Difference
 
     if: ${{ github.event_name == 'pull_request_target' }}
 
     runs-on: ubuntu-latest

+ 1 - 0
.github/workflows/repo-stale.yaml
Ver fichero 

@@ -5,6 +5,7 @@ on:
 
     - cron: '30 1 * * *'
 
   workflow_dispatch:
 
 
+permissions: {}
 
 jobs:
 
   stale:
 
     runs-on: ubuntu-latest