lgladsden/jellyfin-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Harden GitHub Workflows security (#8664)

Browse Source
This commit is contained in:
Alex 2022-12-03 17:47:30 +02:00 committed by GitHub
parent db2c0d4c91
commit e2cea6121a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/automation.yml vendored
View File

@ -7,6 +7,7 @@ on:
pull_request_target: pull_request_target:
issue_comment: issue_comment:
permissions: {}
jobs: jobs:
label: label:
name: Labeling name: Labeling

4
.github/workflows/commands.yml vendored
View File

@ -9,6 +9,7 @@ on:
- labeled - labeled
- synchronize - synchronize
permissions: {}
jobs: jobs:
rebase: rebase:
name: Rebase name: Rebase
@ -34,6 +35,9 @@ jobs:
GITHUB_TOKEN: ${{ secrets.JF_BOT_TOKEN }} GITHUB_TOKEN: ${{ secrets.JF_BOT_TOKEN }}
check-backport: check-backport:
permissions:
contents: read
name: Check Backport name: Check Backport
if: ${{ ( github.event.issue.pull_request && contains(github.event.comment.body, '@jellyfin-bot check backport') ) || github.event.label.name == 'stable backport' || contains(github.event.pull_request.labels.*.name, 'stable backport' ) }} if: ${{ ( github.event.issue.pull_request && contains(github.event.comment.body, '@jellyfin-bot check backport') ) || github.event.label.name == 'stable backport' || contains(github.event.pull_request.labels.*.name, 'stable backport' ) }}
runs-on: ubuntu-latest runs-on: ubuntu-latest

5
.github/workflows/openapi.yml vendored
View File

@ -5,6 +5,8 @@ on:
- master - master
pull_request_target: pull_request_target:
permissions: {}
jobs: jobs:
openapi-head: openapi-head:
name: OpenAPI - HEAD name: OpenAPI - HEAD
@ -55,6 +57,9 @@ jobs:
path: tests/Jellyfin.Server.Integration.Tests/bin/Release/net6.0/openapi.json path: tests/Jellyfin.Server.Integration.Tests/bin/Release/net6.0/openapi.json
openapi-diff: openapi-diff:
permissions:
pull-requests: write # to create or update comment (peter-evans/create-or-update-comment)
name: OpenAPI - Difference name: OpenAPI - Difference
if: ${{ github.event_name == 'pull_request_target' }} if: ${{ github.event_name == 'pull_request_target' }}
runs-on: ubuntu-latest runs-on: ubuntu-latest

1
.github/workflows/repo-stale.yaml vendored
View File

@ -5,6 +5,7 @@ on:
- cron: '30 1 * * *' - cron: '30 1 * * *'
workflow_dispatch: workflow_dispatch:
permissions: {}
jobs: jobs:
stale: stale:
runs-on: ubuntu-latest runs-on: ubuntu-latest