diff --git a/.github/workflows/composer-install.yml b/.github/workflows/composer-install.yml index d238226..5921757 100644 --- a/.github/workflows/composer-install.yml +++ b/.github/workflows/composer-install.yml @@ -1,6 +1,9 @@ --- name: Run Composer Install +env: + ACTIONS_ALLOW_UNSECURE_COMMAND=false + on: workflow_dispatch: pull_request: @@ -8,13 +11,18 @@ on: - "composer.json" - "composer.lock" +permissions: + contents: write + packages: read + statuses: write + jobs: ComposerInstall: runs-on: ubuntu-latest permissions: contents: write - pacakges: read + packages: read statuses: write strategy: diff --git a/.github/workflows/compress-images.yml b/.github/workflows/compress-images.yml index 92fd609..e086f7a 100644 --- a/.github/workflows/compress-images.yml +++ b/.github/workflows/compress-images.yml @@ -3,11 +3,19 @@ # Open a Pull Request if any images can be compressed. name: Compress Images on Demand +env: + ACTIONS_ALLOW_UNSECURE_COMMAND=false + on: workflow_dispatch: schedule: - cron: "00 23 * * 0" +permissions: + contents: write + statuses: write + pull-requests: write + jobs: CompressOnDemandOrSchedule: name: calibreapp/image-actions diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index e19e42f..cd46663 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -10,8 +10,16 @@ # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement name: "Dependency Review" +env: + ACTIONS_ALLOW_UNSECURE_COMMAND=false + on: [pull_request] +permissions: + contents: read + packages: read + statuses: read + jobs: dependency-review: runs-on: ubuntu-latest diff --git a/.github/workflows/laravel-phpunit.yml b/.github/workflows/laravel-phpunit.yml index 6a71fd3..e4d9603 100644 --- a/.github/workflows/laravel-phpunit.yml +++ b/.github/workflows/laravel-phpunit.yml @@ -1,12 +1,20 @@ --- name: Laravel Setup and Composer test +env: + ACTIONS_ALLOW_UNSECURE_COMMAND=false + on: push: branches: [main] pull_request: branches: [main] +permissions: + contents: write + packages: read + statuses: write + jobs: laravel-tests: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-compress-images.yml b/.github/workflows/pr-compress-images.yml index bab3b41..4b188db 100644 --- a/.github/workflows/pr-compress-images.yml +++ b/.github/workflows/pr-compress-images.yml @@ -1,6 +1,9 @@ --- name: Compress Images +env: + ACTIONS_ALLOW_UNSECURE_COMMAND=false + on: pull_request: # Run Image Actions when JPG, JPEG, PNG or WebP files are added or changed. @@ -11,6 +14,12 @@ on: - "**.png" - "**.webp" +permissions: + contents: write + packages: read + statuses: write + pull-requests: write + jobs: CompressInPR: # Only run on Pull Requests within the same repository, and not from forks. diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index 2fdcf56..317108a 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -13,6 +13,7 @@ name: Lint Code Base env: MAIN_BRANCH: main + ACTIONS_ALLOW_UNSECURE_COMMAND=false ############################# # Start the job on all push # @@ -24,6 +25,11 @@ on: pull_request: branches: [master, main] +permissions: + contents: read + packages: read + statuses: write + ############### # Set the Job # ############### diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 90f2859..e4539ce 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -1,9 +1,17 @@ --- name: Release Drafter +env: + ACTIONS_ALLOW_UNSECURE_COMMAND=false + on: workflow_call: +permissions: + contents: write + statuses: write + packages: read + jobs: update_release_draft: name: ✏️ Draft release diff --git a/.github/workflows/release-monthly.yaml b/.github/workflows/release-monthly.yaml index c866f55..4e31299 100644 --- a/.github/workflows/release-monthly.yaml +++ b/.github/workflows/release-monthly.yaml @@ -2,11 +2,19 @@ # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: "Release" +env: + ACTIONS_ALLOW_UNSECURE_COMMAND=false + on: workflow_dispatch: schedule: - cron: "0 0 1 * *" # 1st of every month at midnight +permissions: + contents: write + packages: read + statuses: read + jobs: release: name: Release diff --git a/.github/workflows/reviewdog-linters.yml b/.github/workflows/reviewdog-linters.yml index 710f600..98a5dfd 100644 --- a/.github/workflows/reviewdog-linters.yml +++ b/.github/workflows/reviewdog-linters.yml @@ -3,6 +3,14 @@ name: Reviewdog Linters on: [pull_request] +env: + ACTIONS_ALLOW_UNSECURE_COMMAND=false + +permissions: + contents: read + packages: read + statuses: write + jobs: linters: name: Linters diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 2d0937c..336d6dc 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,6 +1,9 @@ --- name: Stale +env: + ACTIONS_ALLOW_UNSECURE_COMMAND=false + on: schedule: - cron: "0 8 * * *" @@ -8,9 +11,11 @@ on: workflow_dispatch: permissions: - contents: read - packages: read + contents: write # only for delete-branch option + issues: write + pull-requests: write statuses: read + packages: read jobs: stale: diff --git a/.github/workflows/sync-labels-to-own-projects.yml b/.github/workflows/sync-labels-to-own-projects.yml index 60bf7a7..9b38521 100644 --- a/.github/workflows/sync-labels-to-own-projects.yml +++ b/.github/workflows/sync-labels-to-own-projects.yml @@ -1,6 +1,9 @@ --- name: Sync labels to other repositories +env: + ACTIONS_ALLOW_UNSECURE_COMMAND=false + on: push: branches: @@ -12,6 +15,10 @@ on: schedule: - cron: "0 0 * * *" # Every day at midnight +permissions: + contents: write + statuses: write + jobs: sync-labels: runs-on: ubuntu-latest diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index ccba22d..7ad64b4 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -2,6 +2,9 @@ # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Sync labels +env: + ACTIONS_ALLOW_UNSECURE_COMMAND=false + on: push: branches: @@ -13,6 +16,11 @@ on: workflow_call: workflow_dispatch: +permissions: + issues: write + contents: read + statuses: read + jobs: labels: name: ♻️ Sync labels