ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-02-12 15:46:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(ci): pin versions, tighten permissions

Browse Source
This commit is contained in:
Ismo Vuorinen
2025-02-02 14:20:05 +02:00
parent ab2a86b6e2
commit 19f792e5d1
12 changed files with 86 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.github/workflows/auto-merge.yml vendored
View File

@@ -19,6 +19,11 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false # Don't cancel as this could leave PRs in inconsistent state
permissions:
contents: read
checks: read
statuses: read
jobs:
auto-merge:
name: 🤝 Auto Merge
@@ -28,8 +33,6 @@ jobs:
permissions:
contents: write
pull-requests: write
checks: read
statuses: read
steps:
- name: Check Required Secrets
@@ -46,13 +49,13 @@ jobs:
- name: Generate Token
id: generate-token
if: steps.check-secrets.outputs.use_github_token == 'false'
uses: actions/create-github-app-token@v1
uses: actions/create-github-app-token@136412a57a7081aa63c935a2cc2918f76c34f514 # v1.11.2
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Auto Merge PR
uses: pascalgn/automerge-action@v0.16.4
uses: pascalgn/automerge-action@7961b8b5eec56cc088c140b56d864285eabd3f67 # v0.16.4
env:
GITHUB_TOKEN: ${{ steps.check-secrets.outputs.use_github_token == 'true' && github.token || steps.generate-token.outputs.token }}
MERGE_LABELS: 'dependencies,automated-pr,!work-in-progress,!do-not-merge'
@@ -68,7 +71,7 @@ jobs:
- name: Check Merge Status
if: always()
uses: actions/github-script@v7
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ steps.check-secrets.outputs.use_github_token == 'true' && github.token || steps.generate-token.outputs.token }}
script: |
@@ -137,7 +140,7 @@ jobs:
- name: Remove Labels on Failure
if: failure()
uses: actions/github-script@v7
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ steps.check-secrets.outputs.use_github_token == 'true' && github.token || steps.generate-token.outputs.token }}
script: |