mirror of
https://github.com/ivuorinen/dotfiles.git
synced 2026-02-08 00:50:44 +00:00
Ismo Vuorinen
89aeb29c04
Replace read-all/write-all with minimum required permission scopes across all GitHub Actions workflows to follow the principle of least privilege (SonarCloud rule githubactions:S8234).
40 lines
1.0 KiB
YAML
40 lines
1.0 KiB
YAML
---
|
|
# $schema: "https://json.schemastore.org/github-workflow.json"
|
|
name: Pre-commit autoupdate
|
|
|
|
on:
|
|
schedule:
|
|
# At 04:00 on Monday and Thursday.
|
|
- cron: '0 4 * * 1,4'
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
auto-update:
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
|
|
|
|
- run: pip install pre-commit && pre-commit autoupdate
|
|
|
|
- uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
branch: update/pre-commit-hooks
|
|
title: 'chore: update pre-commit hooks'
|
|
commit-message: 'chore: update pre-commit hooks'
|
|
body: Update versions of pre-commit hooks to latest version.
|