ci: harden GitHub actions (#22321)

This commit is contained in:
StepSecurity Bot 2023-07-25 07:47:29 -07:00 committed by GitHub
parent b650207fa5
commit 2748e54aec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 5 deletions

View File

@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'nuxt/nuxt' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run') if: github.repository == 'nuxt/nuxt' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run')
steps: steps:
- uses: actions/github-script@v6 - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with: with:
script: | script: |
const user = context.payload.sender.login const user = context.payload.sender.login
@ -48,7 +48,7 @@ jobs:
}) })
throw new Error('not allowed') throw new Error('not allowed')
} }
- uses: actions/github-script@v6 - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
id: get-pr-data id: get-pr-data
with: with:
script: | script: |
@ -64,12 +64,12 @@ jobs:
repo: pr.head.repo.full_name repo: pr.head.repo.full_name
} }
- id: generate-token - id: generate-token
uses: tibdex/github-app-token@v1 uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
with: with:
app_id: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_ID }} app_id: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_ID }}
private_key: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_PRIVATE_KEY }} private_key: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_PRIVATE_KEY }}
repository: "${{ github.repository_owner }}/ecosystem-ci" repository: "${{ github.repository_owner }}/ecosystem-ci"
- uses: actions/github-script@v6 - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
id: trigger id: trigger
env: env:
COMMENT: ${{ github.event.comment.body }} COMMENT: ${{ github.event.comment.body }}

View File

@ -7,14 +7,20 @@ on:
- edited - edited
- synchronize - synchronize
permissions:
contents: read
jobs: jobs:
main: main:
permissions:
pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs
statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR
if: github.repository == 'nuxt/nuxt' if: github.repository == 'nuxt/nuxt'
runs-on: ubuntu-latest runs-on: ubuntu-latest
name: Semantic pull request name: Semantic pull request
steps: steps:
- name: Validate PR title - name: Validate PR title
uses: amannn/action-semantic-pull-request@v5 uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 # v5.2.0
with: with:
scopes: | scopes: |
kit kit