Dawoox/nixpkgs
1
1
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Workflow security fixes (#351446)

Browse Source
This commit is contained in:
Jörg Thalheim
2024-10-26 16:20:52 +02:00
committed by GitHub
parent 900a2d4022 5bbbc3a30b
commit 88bcaef9a8
5 changed files with 39 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
.github/workflows/codeowners.yml → .github/workflows/codeowners-v2.yml vendored
View File

@@ -1,17 +1,32 @@
name: Codeowners
name: Codeowners v2
# This workflow depends on a GitHub App with the following permissions:
# - Repository > Administration: read-only
# - Organization > Members: read-only
# - Repository > Pull Requests: read-write
# The App needs to be installed on this repository
# the OWNER_APP_ID repository variable needs to be set
# the OWNER_APP_PRIVATE_KEY repository secret needs to be set
# This workflow depends on two GitHub Apps with the following permissions:
# - For checking code owners:
# - Permissions:
# - Repository > Administration: read-only
# - Organization > Members: read-only
# - Install App on this repository, setting these variables:
# - OWNER_RO_APP_ID (variable)
# - OWNER_RO_APP_PRIVATE_KEY (secret)
# - For requesting code owners:
# - Permissions:
# - Repository > Administration: read-only
# - Organization > Members: read-only
# - Repository > Pull Requests: read-write
# - Install App on this repository, setting these variables:
# - OWNER_APP_ID (variable)
# - OWNER_APP_PRIVATE_KEY (secret)
#
# This split is done because checking code owners requires handling untrusted PR input,
# while requesting code owners requires PR write access, and those shouldn't be mixed.
on:
pull_request_target:
types: [opened, ready_for_review, synchronize, reopened, edited]
# We don't need any default GitHub token
permissions: {}
env:
OWNERS_FILE: ci/OWNERS
# Don't do anything on draft PRs
@@ -45,8 +60,8 @@ jobs:
- uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
id: app-token
with:
app-id: ${{ vars.OWNER_APP_ID }}
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
app-id: ${{ vars.OWNER_RO_APP_ID }}
private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:

6
.github/workflows/editorconfig.yml → .github/workflows/editorconfig-v2.yml vendored
View File

@@ -1,6 +1,8 @@
name: "Checking EditorConfig"
name: "Checking EditorConfig v2"
permissions: read-all
permissions:
pull-requests: read
contents: read
on:
# avoids approving first time contributors

5
.github/workflows/manual-nixos.yml → .github/workflows/manual-nixos-v2.yml vendored
View File

@@ -1,6 +1,7 @@
name: "Build NixOS manual"
name: "Build NixOS manual v2"
permissions: read-all
permissions:
contents: read
on:
pull_request_target:

5
.github/workflows/manual-nixpkgs.yml → .github/workflows/manual-nixpkgs-v2.yml vendored
View File

@@ -1,6 +1,7 @@
name: "Build Nixpkgs manual"
name: "Build Nixpkgs manual v2"
permissions: read-all
permissions:
contents: read
on:
pull_request_target:

6
.github/workflows/nix-parse.yml → .github/workflows/nix-parse-v2.yml vendored
View File

@@ -1,6 +1,8 @@
name: "Check whether nix files are parseable"
name: "Check whether nix files are parseable v2"
permissions: read-all
permissions:
pull-requests: read
contents: read
on:
# avoids approving first time contributors