Skip to content

Commit 843a0fd

Browse files
YermanacoYermanaco
committed
security: harden GitHub Actions workflows against credential exposure and fork PR attacks
1 parent a121ca8 commit 843a0fd

6 files changed

Lines changed: 44 additions & 13 deletions

File tree

.github/workflows/ChatGPT-Reviewer.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ jobs:
1717
steps:
1818
- uses: platisd/openai-pr-description@master
1919
with:
20-
github_token: ${{ secrets.NOVUM_PRIVATE_REPOS }}
20+
github_token: ${{ secrets.GITHUB_TOKEN }}
2121
openai_api_key: ${{ secrets.OPENAI_API_KEY }}
2222
sample_prompt: |
2323
You are a design system designer and your function is create a table with all the changes for a GitHub Pull Request in Markdown format.

.github/workflows/auto-generator.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Readme Generator
22

3+
permissions:
4+
contents: write
5+
36
on:
47
workflow_dispatch:
58
push:
@@ -20,7 +23,9 @@ jobs:
2023
runs-on: ubuntu-latest
2124

2225
steps:
23-
- uses: actions/checkout@v3
26+
- uses: actions/checkout@v6
27+
with:
28+
persist-credentials: false
2429

2530
- name: Get branch name
2631
uses: rlespinasse/github-slug-action@v3.x

.github/workflows/evenodd-test.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Check evenodds
22

3+
permissions:
4+
contents: read
5+
36
on:
47
workflow_dispatch:
58
# push:
@@ -17,7 +20,9 @@ jobs:
1720

1821
steps:
1922
- name: Checkout del código
20-
uses: actions/checkout@v3
23+
uses: actions/checkout@v6
24+
with:
25+
persist-credentials: false
2126

2227
- name: Search for evenodd icons
2328
run: |

.github/workflows/figma-export.yml

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
name: 🚀 Release (Figma)
22

3+
permissions:
4+
contents: write
5+
pull-requests: write
6+
37
on:
48
workflow_dispatch:
59
inputs:
@@ -36,7 +40,9 @@ jobs:
3640
export-icons:
3741
runs-on: ubuntu-latest
3842
steps:
39-
- uses: actions/checkout@v4
43+
- uses: actions/checkout@v6
44+
with:
45+
persist-credentials: false
4046

4147
- name: Install SVG/PDF tooling
4248
run: |
@@ -138,7 +144,7 @@ jobs:
138144
- name: Commit & Push
139145
if: ${{ steps.changes.outputs.changed == 'true' }}
140146
env:
141-
GITHUB_TOKEN: ${{ secrets.NOVUM_PRIVATE_REPOS }}
147+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
142148
TARGET_BRANCH: ${{ github.event.inputs.branch || 'import-figma-icons' }}
143149
run: |
144150
git config user.name "github-actions"
@@ -156,4 +162,4 @@ jobs:
156162
pr_title: ${{ steps.pr.outputs.title }}
157163
pr_body: ${{ steps.pr.outputs.body }}
158164
pr_draft: ${{ github.event.inputs.draft }}
159-
github_token: ${{ secrets.NOVUM_PRIVATE_REPOS }}
165+
github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/icons-release.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Publish Release
22

3+
permissions:
4+
contents: write
5+
36
on:
47
pull_request:
58
types: [closed]
@@ -14,7 +17,9 @@ jobs:
1417
if: github.event.pull_request.merged
1518
runs-on: ubuntu-latest
1619
steps:
17-
- uses: actions/checkout@v3
20+
- uses: actions/checkout@v6
21+
with:
22+
persist-credentials: false
1823
- name: Create a Release
1924
uses: elgohr/Github-Release-Action@v4
2025
env:

.github/workflows/keywords-test.yml

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Check icons keywords
22

3+
permissions:
4+
contents: write
5+
36
on:
47
workflow_dispatch:
58
# push:
@@ -17,7 +20,9 @@ jobs:
1720

1821
steps:
1922
- name: Checkout repository
20-
uses: actions/checkout@v3
23+
uses: actions/checkout@v6
24+
with:
25+
persist-credentials: false
2126

2227
- name: List SVG files
2328
run: |
@@ -88,7 +93,9 @@ jobs:
8893

8994
steps:
9095
- name: Checkout repository
91-
uses: actions/checkout@v3
96+
uses: actions/checkout@v6
97+
with:
98+
persist-credentials: false
9299

93100
- name: List SVG files
94101
run: |
@@ -164,9 +171,10 @@ jobs:
164171

165172
steps:
166173
- name: Checkout repository
167-
uses: actions/checkout@v3
174+
uses: actions/checkout@v6
168175
with:
169-
token: ${{ secrets.NOVUM_PRIVATE_REPOS }}
176+
persist-credentials: false
177+
token: ${{ secrets.GITHUB_TOKEN }}
170178
ref: ${{ github.head_ref }}
171179

172180
- name: Set up Python
@@ -192,7 +200,7 @@ jobs:
192200

193201
- name: Commit & Push
194202
env:
195-
GITHUB_TOKEN: ${{ secrets.NOVUM_PRIVATE_REPOS }}
203+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
196204
run: |
197205
git config user.name "github-actions"
198206
git config user.email "github-actions[bot]@users.noreply.github.com"
@@ -232,7 +240,9 @@ jobs:
232240
233241
steps:
234242
- name: Checkout repository
235-
uses: actions/checkout@v3
243+
uses: actions/checkout@v6
244+
with:
245+
persist-credentials: false
236246

237247
- name: List SVG files
238248
run: |

0 commit comments

Comments
 (0)