paradizelost/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-05-23 12:58:18 -05:00
Code Issues Packages Projects Releases Wiki Activity

More lock downs

Browse Source
This commit is contained in:
Trenton Holmes 2025-04-26 20:45:56 -07:00
parent 41ab921621
commit 3c61392eeb
5 changed files with 27 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/cleanup-tags.yml vendored
View File

@ -14,6 +14,7 @@ on:
concurrency: concurrency:
group: registry-tags-cleanup group: registry-tags-cleanup
cancel-in-progress: false cancel-in-progress: false
permissions: {}
jobs: jobs:
cleanup-images: cleanup-images:
name: Cleanup Image Tags for ${{ matrix.primary-name }} name: Cleanup Image Tags for ${{ matrix.primary-name }}

2
.github/workflows/codeql-analysis.yml vendored
View File

@ -35,6 +35,8 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
persist-credentials: false
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v3 uses: github/codeql-action/init@v3

8
.github/workflows/pr-bot.yml vendored
View File

@ -2,8 +2,16 @@ name: PR Bot
on: on:
pull_request: pull_request:
types: [opened] types: [opened]
branches:
- main
- dev
- beta
pull_request_target: pull_request_target:
types: [opened] types: [opened]
branches:
- main
- dev
- beta
permissions: permissions:
contents: read contents: read
pull-requests: write pull-requests: write

10
.github/workflows/repo-maintenance.yml vendored
View File

@ -3,10 +3,6 @@ on:
schedule: schedule:
- cron: '0 3 * * *' - cron: '0 3 * * *'
workflow_dispatch: workflow_dispatch:
permissions:
issues: write
pull-requests: write
discussions: write
concurrency: concurrency:
group: lock group: lock
jobs: jobs:
@ -37,7 +33,7 @@ jobs:
if: github.repository_owner == 'paperless-ngx' if: github.repository_owner == 'paperless-ngx'
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- uses: dessant/lock-threads@v5 - uses: dessant/lock-threads@v5.0.1
with: with:
issue-inactive-days: '30' issue-inactive-days: '30'
pr-inactive-days: '30' pr-inactive-days: '30'
@ -113,6 +109,8 @@ jobs:
} }
close-outdated-discussions: close-outdated-discussions:
name: 'Close Outdated Discussions' name: 'Close Outdated Discussions'
permissions:
discussions: write
if: github.repository_owner == 'paperless-ngx' if: github.repository_owner == 'paperless-ngx'
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
@ -205,6 +203,8 @@ jobs:
} }
close-unsupported-feature-requests: close-unsupported-feature-requests:
name: 'Close Unsupported Feature Requests' name: 'Close Unsupported Feature Requests'
permissions:
discussions: write
if: github.repository_owner == 'paperless-ngx' if: github.repository_owner == 'paperless-ngx'
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:

11
.github/zizmor.yml vendored
View File

@ -1,8 +1,19 @@
# https://woodruffw.github.io/zizmor/
rules: rules:
dangerous-triggers:
ignore:
# See https://woodruffw.github.io/zizmor/audits/#remediation_1
# we filter to the target branches to limit external users running their own code
- pr-bot.yml:2:1
unpinned-uses: unpinned-uses:
config: config:
policies: policies:
# We trust GitHub not to have a security incident
actions/*: ref-pin actions/*: ref-pin
github/codeql-action/*: ref-pin
crowdin/github-action: ref-pin crowdin/github-action: ref-pin
astral-sh/setup-uv: ref-pin astral-sh/setup-uv: ref-pin
pnpm/action-setup: ref-pin pnpm/action-setup: ref-pin
dessant/lock-threads: ref-pin
Gascon1/pr-size-labeler: ref-pin
stumpylog/image-cleaner-action/*: ref-pin