Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Improve Security of GitHub Actions Workflows#4668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Bibo-Joshi merged 2 commits intomasterfromactions-security
Feb 2, 2025
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions.github/workflows/dependabot-prs.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -4,6 +4,8 @@ on:
pull_request:
types: [opened, reopened]

permissions: {}

jobs:
process-dependabot-prs:
permissions:
Expand Down
2 changes: 2 additions & 0 deletions.github/workflows/docs-linkcheck.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -7,6 +7,8 @@ on:
paths:
- .github/workflows/docs-linkcheck.yml

permissions: {}

jobs:
test-sphinx-build:
name: test-sphinx-linkcheck
Expand Down
5 changes: 5 additions & 0 deletions.github/workflows/docs.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -8,10 +8,15 @@ on:
branches:
- master

permissions: {}

jobs:
test-sphinx-build:
name: test-sphinx-build
runs-on: ${{matrix.os}}
permissions:
# for uploading artifacts
actions: write
strategy:
matrix:
python-version: ['3.10']
Expand Down
4 changes: 3 additions & 1 deletion.github/workflows/gha_security.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -6,6 +6,8 @@ on:
- master
pull_request:

permissions: {}

jobs:
zizmor:
name: Security Analysis with zizmor
Expand All@@ -25,7 +27,7 @@ jobs:
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
with:
sarif_file: results.sarif
category: zizmor
2 changes: 2 additions & 0 deletions.github/workflows/labelling.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -4,6 +4,8 @@ on:
pull_request:
types: [opened]

permissions: {}

jobs:
pre-commit-ci:
permissions:
Expand Down
6 changes: 6 additions & 0 deletions.github/workflows/lock.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -4,9 +4,15 @@ on:
schedule:
- cron: '8 4 * * *'

permissions: {}

jobs:
lock:
runs-on: ubuntu-latest
permissions:
# For locking the threads
issues: write
pull-requests: write
steps:
- uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
with:
Expand Down
8 changes: 8 additions & 0 deletions.github/workflows/release_pypi.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -4,12 +4,17 @@ on:
# manually trigger the workflow
workflow_dispatch:

permissions: {}

jobs:
build:
name: Build Distribution
runs-on: ubuntu-latest
outputs:
TAG: ${{ steps.get_tag.outputs.TAG }}
permissions:
# for uploading artifacts
actions: write

steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand DownExpand Up@@ -46,6 +51,7 @@ jobs:
url: https://pypi.org/p/python-telegram-bot
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
actions: read # for downloading artifacts

steps:
- name: Download all the dists
Expand All@@ -64,6 +70,7 @@ jobs:

permissions:
id-token: write # IMPORTANT: mandatory for sigstore
actions: write # for up/downloading artifacts

steps:
- name: Download all the dists
Expand DownExpand Up@@ -100,6 +107,7 @@ jobs:

permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
actions: read # for downloading artifacts

steps:
- name: Download all the dists
Expand Down
8 changes: 8 additions & 0 deletions.github/workflows/release_test_pypi.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -4,12 +4,17 @@ on:
# manually trigger the workflow
workflow_dispatch:

permissions: {}

jobs:
build:
name: Build Distribution
runs-on: ubuntu-latest
outputs:
TAG: ${{ steps.get_tag.outputs.TAG }}
permissions:
# for uploading artifacts
actions: write

steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand DownExpand Up@@ -46,6 +51,7 @@ jobs:
url: https://test.pypi.org/p/python-telegram-bot
permissions:
id-token: write # IMPORTANT: mandatory for trusted publishing
actions: read # for downloading artifacts

steps:
- name: Download all the dists
Expand All@@ -66,6 +72,7 @@ jobs:

permissions:
id-token: write # IMPORTANT: mandatory for sigstore
actions: write # for up/downloading artifacts

steps:
- name: Download all the dists
Expand DownExpand Up@@ -102,6 +109,7 @@ jobs:

permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
actions: read # for downloading artifacts

steps:
- name: Download all the dists
Expand Down
5 changes: 5 additions & 0 deletions.github/workflows/stale.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -3,9 +3,14 @@ on:
schedule:
- cron: '42 2 * * *'

permissions: {}

jobs:
stale:
runs-on: ubuntu-latest
permissions:
# For adding labels and closing
issues: write
steps:
- uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
with:
Expand Down
2 changes: 2 additions & 0 deletions.github/workflows/test_official.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -11,6 +11,8 @@ on:
# Run monday and friday morning at 03:07 - odd time to spread load on GitHub Actions
- cron: '7 3 * * 1,5'

permissions: {}

jobs:
check-conformity:
name: check-conformity
Expand Down
2 changes: 2 additions & 0 deletions.github/workflows/type_completeness.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -9,6 +9,8 @@ on:
branches:
- master

permissions: {}

jobs:
test-type-completeness:
name: test-type-completeness
Expand Down
2 changes: 2 additions & 0 deletions.github/workflows/type_completeness_monthly.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -4,6 +4,8 @@ on:
# Run first friday of the month at 03:17 - odd time to spread load on GitHub Actions
- cron: '17 3 1-7 * 5'

permissions: {}

jobs:
test-type-completeness:
name: test-type-completeness
Expand Down
2 changes: 2 additions & 0 deletions.github/workflows/unit_tests.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -14,6 +14,8 @@ on:
# Run monday and friday morning at 03:07 - odd time to spread load on GitHub Actions
- cron: '7 3 * * 1,5'

permissions: {}

jobs:
pytest:
name: pytest
Expand Down
Loading
[8]ページ先頭
©2009-2025 Movatter.jp