Skip to content

Commit 126e41e

Browse files
CommanderStormCommanderStorm
authored
apply a few easy hardenings suggested by zizmore (#1316)
1 parent d9ae47b commit 126e41e

File tree

4 files changed

+12
-6
lines changed

4 files changed

+12
-6
lines changed

.github/workflows/automerge-dependabot.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ permissions: write-all
77
jobs:
88
dependabot:
99
runs-on: ubuntu-latest
10-
if: ${{ github.actor == 'dependabot[bot]' }}
10+
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
1111
steps:
1212
- name: Dependabot metadata
1313
id: metadata

.github/workflows/build-docs.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ jobs:
1313
runs-on: ubuntu-latest
1414
steps:
1515
- uses: actions/checkout@v5
16+
with: { persist-credentials: false }
1617
- uses: actions/setup-node@v5
1718
with:
1819
node-version-file: '.nvmrc'

.github/workflows/publish-style-spec.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,7 @@ jobs:
4747
- uses: actions/checkout@v5
4848
with:
4949
fetch-depth: 0
50+
persist-credentials: false
5051

5152
- name: Use Node.js from nvmrc
5253
uses: actions/setup-node@v5

.github/workflows/test-all.yml

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -6,17 +6,15 @@ on:
66
pull_request:
77
workflow_dispatch:
88

9-
permissions:
10-
checks: write
11-
pull-requests: write
12-
contents: write
13-
149
jobs:
1510
code-hygiene:
1611
name: Code Hygiene
1712
runs-on: ubuntu-latest
13+
permissions:
14+
contents: read
1815
steps:
1916
- uses: actions/checkout@v5
17+
with: { persist-credentials: false }
2018
- uses: actions/setup-node@v5
2119
with:
2220
node-version-file: '.nvmrc'
@@ -28,8 +26,11 @@ jobs:
2826
unit-and-integration-tests:
2927
name: Unit and Integration Tests
3028
runs-on: ubuntu-latest
29+
permissions:
30+
contents: read
3131
steps:
3232
- uses: actions/checkout@v5
33+
with: { persist-credentials: false }
3334
- uses: actions/setup-node@v5
3435
with:
3536
node-version-file: '.nvmrc'
@@ -49,8 +50,11 @@ jobs:
4950
matrix:
5051
os: [ubuntu-latest, windows-latest]
5152
runs-on: ${{ matrix.os }}
53+
permissions:
54+
contents: read
5255
steps:
5356
- uses: actions/checkout@v5
57+
with: { persist-credentials: false }
5458
- uses: actions/setup-node@v5
5559
with:
5660
node-version-file: '.nvmrc'

0 commit comments

Comments
 (0)