Update dependency cryptography to v48 [SECURITY] #1764
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Labeler | |
| # Safety note (zizmor dangerous-triggers): this workflow uses | |
| # `pull_request_target` intentionally so PRs opened from forks can still be | |
| # labelled by maintainers (the default `pull_request` event runs with a | |
| # read-only token on fork PRs and cannot write labels). The job: | |
| # - Does NOT check out PR head code (no `actions/checkout` with `ref:`). | |
| # - Only consumes path-based label rules from the trusted base ref via | |
| # `actions/labeler`, which fetches the config from `github.sha` (base). | |
| # - Has narrowly scoped `pull-requests: write` permission and no secrets | |
| # beyond `GITHUB_TOKEN`. | |
| # Attacker-controlled PR content never reaches a `run:` block here. | |
| on: # zizmor: ignore[dangerous-triggers] | |
| pull_request_target: | |
| concurrency: | |
| group: labeler-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| # Default-deny at workflow scope; the label job re-asserts the narrow | |
| # pull-requests: write scope it actually needs (Scorecard token-permissions). | |
| permissions: | |
| contents: read | |
| jobs: | |
| label: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Harden runner (audit mode) | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0 | |
| with: | |
| repo-token: "${{ secrets.GITHUB_TOKEN }}" | |
| sync-labels: true |