From 3c61392eeba767662abbfc6b33c3d49a4bb7b838 Mon Sep 17 00:00:00 2001 From: Trenton Holmes <797416+stumpylog@users.noreply.github.com> Date: Sat, 26 Apr 2025 20:45:56 -0700 Subject: [PATCH] More lock downs --- .github/workflows/cleanup-tags.yml | 1 + .github/workflows/codeql-analysis.yml | 2 ++ .github/workflows/pr-bot.yml | 8 ++++++++ .github/workflows/repo-maintenance.yml | 10 +++++----- .github/zizmor.yml | 11 +++++++++++ 5 files changed, 27 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cleanup-tags.yml b/.github/workflows/cleanup-tags.yml index 324ef7750..febe8af99 100644 --- a/.github/workflows/cleanup-tags.yml +++ b/.github/workflows/cleanup-tags.yml @@ -14,6 +14,7 @@ on: concurrency: group: registry-tags-cleanup cancel-in-progress: false +permissions: {} jobs: cleanup-images: name: Cleanup Image Tags for ${{ matrix.primary-name }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0be68b3ed..b9519be28 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -35,6 +35,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v3 diff --git a/.github/workflows/pr-bot.yml b/.github/workflows/pr-bot.yml index e2f4c44a4..87b34ec0d 100644 --- a/.github/workflows/pr-bot.yml +++ b/.github/workflows/pr-bot.yml @@ -2,8 +2,16 @@ name: PR Bot on: pull_request: types: [opened] + branches: + - main + - dev + - beta pull_request_target: types: [opened] + branches: + - main + - dev + - beta permissions: contents: read pull-requests: write diff --git a/.github/workflows/repo-maintenance.yml b/.github/workflows/repo-maintenance.yml index 2493afb67..7e1df9f7a 100644 --- a/.github/workflows/repo-maintenance.yml +++ b/.github/workflows/repo-maintenance.yml @@ -3,10 +3,6 @@ on: schedule: - cron: '0 3 * * *' workflow_dispatch: -permissions: - issues: write - pull-requests: write - discussions: write concurrency: group: lock jobs: @@ -37,7 +33,7 @@ jobs: if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 steps: - - uses: dessant/lock-threads@v5 + - uses: dessant/lock-threads@v5.0.1 with: issue-inactive-days: '30' pr-inactive-days: '30' @@ -113,6 +109,8 @@ jobs: } close-outdated-discussions: name: 'Close Outdated Discussions' + permissions: + discussions: write if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 steps: @@ -205,6 +203,8 @@ jobs: } close-unsupported-feature-requests: name: 'Close Unsupported Feature Requests' + permissions: + discussions: write if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 steps: diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 8416f1f48..95cb06bea 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,8 +1,19 @@ +# https://woodruffw.github.io/zizmor/ rules: + dangerous-triggers: + ignore: + # See https://woodruffw.github.io/zizmor/audits/#remediation_1 + # we filter to the target branches to limit external users running their own code + - pr-bot.yml:2:1 unpinned-uses: config: policies: + # We trust GitHub not to have a security incident actions/*: ref-pin + github/codeql-action/*: ref-pin crowdin/github-action: ref-pin astral-sh/setup-uv: ref-pin pnpm/action-setup: ref-pin + dessant/lock-threads: ref-pin + Gascon1/pr-size-labeler: ref-pin + stumpylog/image-cleaner-action/*: ref-pin