diff --git a/.github/workflows/if-nodejs-version-bump.yml b/.github/workflows/if-nodejs-version-bump.yml index d038414e..bde278ff 100644 --- a/.github/workflows/if-nodejs-version-bump.yml +++ b/.github/workflows/if-nodejs-version-bump.yml @@ -9,6 +9,10 @@ on: types: - published +permissions: + contents: write + pull-requests: write + jobs: version_bump: name: Generate assets and bump NodeJS @@ -21,6 +25,7 @@ jobs: # in case release is created from release branch then we need to checkout from given branch # if @semantic-release/github is used to publish, the minimum version is 7.2.0 for proper working ref: ${{ github.event.release.target_commitish }} + persist-credentials: false - name: Check if Node.js project and has package.json id: packagejson run: test -e ./package.json && echo "exists=true" >> $GITHUB_OUTPUT || echo "exists=false" >> $GITHUB_OUTPUT @@ -59,7 +64,7 @@ jobs: RELEASE_TAG: ${{github.event.release.tag_name}} RELEASE_URL: ${{github.event.release.html_url}} with: - token: ${{ secrets.GH_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} commit-message: 'chore(release): ${{ env.RELEASE_TAG }}' committer: asyncapi-bot author: asyncapi-bot diff --git a/.github/workflows/issues-prs-notifications.yml b/.github/workflows/issues-prs-notifications.yml index ce136286..1e3b616e 100644 --- a/.github/workflows/issues-prs-notifications.yml +++ b/.github/workflows/issues-prs-notifications.yml @@ -9,11 +9,13 @@ on: types: [opened, reopened] pull_request_target: - types: [opened, reopened, ready_for_review] + types: [opened, reopened, ready_for_review] # zizmor: ignore[dangerous-triggers] discussion: types: [created] +permissions: {} + jobs: issue: if: github.event_name == 'issues' && github.actor != 'asyncapi-bot' && github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml index 77aa1c6e..05f94f94 100644 --- a/.github/workflows/lint-pr-title.yml +++ b/.github/workflows/lint-pr-title.yml @@ -7,29 +7,34 @@ on: pull_request_target: types: [opened, reopened, synchronize, edited, ready_for_review] +permissions: {} + jobs: lint-pr-title: name: Lint PR title runs-on: ubuntu-latest + permissions: + contents: read # To checkout code and read PR information + pull-requests: write # To comment on PR if the title is not valid steps: # Since this workflow is REQUIRED for a PR to be mergable, we have to have this 'if' statement in step level instead of job level. - - if: ${{ !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor) }} + - if: ${{ !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor) }} # zizmor: ignore[obfuscation] uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 #version 5.2.0 https://github.com/amannn/action-semantic-pull-request/releases/tag/v5.2.0 id: lint_pr_title env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN}} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} with: subjectPattern: ^(?![A-Z]).+$ subjectPatternError: | The subject "{subject}" found in the pull request title "{title}" should start with a lowercase character. # Comments the error message from the above lint_pr_title action - - if: ${{ always() && steps.lint_pr_title.outputs.error_message != null && !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor)}} + - if: ${{ always() && steps.lint_pr_title.outputs.error_message != null && !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor)}} # zizmor: ignore[obfuscation] name: Comment on PR uses: marocchino/sticky-pull-request-comment@3d60a5b2dae89d44e0c6ddc69dd7536aec2071cd #use 2.5.0 https://github.com/marocchino/sticky-pull-request-comment/releases/tag/v2.5.0 with: header: pr-title-lint-error - GITHUB_TOKEN: ${{ secrets.GH_TOKEN}} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} message: | We require all PRs to follow [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/). @@ -44,4 +49,4 @@ jobs: with: header: pr-title-lint-error delete: true - GITHUB_TOKEN: ${{ secrets.GH_TOKEN}} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/notify-tsc-members-mention.yml b/.github/workflows/notify-tsc-members-mention.yml index ffa39bbc..7048d69e 100644 --- a/.github/workflows/notify-tsc-members-mention.yml +++ b/.github/workflows/notify-tsc-members-mention.yml @@ -17,14 +17,16 @@ on: types: - opened - pull_request_target: + pull_request_target: # Needed to access secrets. The checkout is done on base branch so script cannot be malicious. types: - - opened - + - opened # zizmor: ignore[dangerous-triggers] discussion: types: - created +permissions: + contents: read # To checkout repository + jobs: issue: if: github.event_name == 'issues' && contains(github.event.issue.body, '@asyncapi/tsc_members') @@ -33,6 +35,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@v4 with: @@ -68,10 +72,11 @@ jobs: CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }} MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }} TITLE: ${{ github.event.issue.title }} + HTML_URL: ${{ github.event.issue.html_url }} with: script: | const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js'); - sendEmail('${{github.event.issue.html_url}}', process.env.TITLE); + sendEmail(process.env.HTML_URL, process.env.TITLE); pull_request: if: github.event_name == 'pull_request_target' && contains(github.event.pull_request.body, '@asyncapi/tsc_members') @@ -80,6 +85,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@v4 with: @@ -115,10 +122,11 @@ jobs: CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }} MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }} TITLE: ${{ github.event.pull_request.title }} + HTML_URL: ${{ github.event.pull_request.html_url }} with: script: | const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js'); - sendEmail('${{github.event.pull_request.html_url}}', process.env.TITLE); + sendEmail(process.env.HTML_URL, process.env.TITLE); discussion: if: github.event_name == 'discussion' && contains(github.event.discussion.body, '@asyncapi/tsc_members') @@ -127,6 +135,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@v4 with: @@ -162,10 +172,11 @@ jobs: CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }} MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }} TITLE: ${{ github.event.discussion.title }} + HTML_URL: ${{ github.event.discussion.html_url }} with: script: | const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js'); - sendEmail('${{github.event.discussion.html_url}}', process.env.TITLE); + sendEmail(process.env.HTML_URL, process.env.TITLE); issue_comment: if: ${{ github.event_name == 'issue_comment' && !github.event.issue.pull_request && contains(github.event.comment.body, '@asyncapi/tsc_members') }} @@ -174,6 +185,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@v4 with: @@ -209,10 +222,11 @@ jobs: CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }} MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }} TITLE: ${{ github.event.issue.title }} + HTML_URL: ${{ github.event.comment.html_url }} with: script: | const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js'); - sendEmail('${{github.event.comment.html_url}}', process.env.TITLE); + sendEmail(process.env.HTML_URL, process.env.TITLE); pr_comment: if: github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '@asyncapi/tsc_members') @@ -221,6 +235,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@v4 with: @@ -256,10 +272,11 @@ jobs: CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }} MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }} TITLE: ${{ github.event.issue.title }} + HTML_URL: ${{ github.event.comment.html_url }} with: script: | const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js'); - sendEmail('${{github.event.comment.html_url}}', process.env.TITLE); + sendEmail(process.env.HTML_URL, process.env.TITLE); discussion_comment: if: github.event_name == 'discussion_comment' && contains(github.event.comment.body, '@asyncapi/tsc_members') @@ -268,6 +285,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@v4 with: @@ -303,7 +322,8 @@ jobs: CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }} MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }} TITLE: ${{ github.event.discussion.title }} + HTML_URL: ${{ github.event.comment.html_url }} with: script: | const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js'); - sendEmail('${{github.event.comment.html_url}}', process.env.TITLE); + sendEmail(process.env.HTML_URL, process.env.TITLE); diff --git a/.github/workflows/please-take-a-look-command.yml b/.github/workflows/please-take-a-look-command.yml index 84b5a262..6bcbc035 100644 --- a/.github/workflows/please-take-a-look-command.yml +++ b/.github/workflows/please-take-a-look-command.yml @@ -11,6 +11,8 @@ on: issue_comment: types: [created] +permissions: {} + jobs: ping-for-attention: if: > @@ -31,7 +33,7 @@ jobs: script: | const prDetailsUrl = context.payload.issue.pull_request.url; const { data: pull } = await github.request(prDetailsUrl); - const reviewers = pull.requested_reviewers.map(reviewer => reviewer.login); + const reviewers = (pull.requested_reviewers || []).map(reviewer => reviewer.login); const { data: reviews } = await github.rest.pulls.listReviews({ owner: context.repo.owner, diff --git a/.github/workflows/release-announcements.yml b/.github/workflows/release-announcements.yml index 311b701f..c346cca7 100644 --- a/.github/workflows/release-announcements.yml +++ b/.github/workflows/release-announcements.yml @@ -8,6 +8,9 @@ on: types: - published +permissions: + contents: read # To checkout code and read release information + jobs: slack-announce: @@ -16,6 +19,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Convert markdown to slack markdown for issue # This workflow is from our own org repo and safe to reference by 'master'. uses: asyncapi/.github/.github/actions/slackify-markdown@master # //NOSONAR @@ -42,6 +47,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get version of last and previous release uses: actions/github-script@v7 id: versions diff --git a/.github/workflows/stale-issues-prs.yml b/.github/workflows/stale-issues-prs.yml index 25bee820..8ddfdfca 100644 --- a/.github/workflows/stale-issues-prs.yml +++ b/.github/workflows/stale-issues-prs.yml @@ -7,11 +7,17 @@ on: schedule: - cron: "0 0 * * *" +permissions: {} + jobs: stale: if: startsWith(github.repository, 'asyncapi/') name: Mark issue or PR as stale runs-on: ubuntu-latest + permissions: + contents: read # As delete-branch is not being used + issues: write # To add comments and labels to issues + pull-requests: write # To add comments and labels to PRs steps: - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 #v9.1.0 but pointing to commit for security reasons with: diff --git a/.github/workflows/transfer-issue.yml b/.github/workflows/transfer-issue.yml deleted file mode 100644 index dbe84ca6..00000000 --- a/.github/workflows/transfer-issue.yml +++ /dev/null @@ -1,62 +0,0 @@ -# This action is centrally managed in https://github.com/asyncapi/.github/ -# Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in above mentioned repo - -name: Transfer Issues between repositories - -on: - issue_comment: - types: - - created - -permissions: - issues: write - -jobs: - transfer: - if: ${{(!github.event.issue.pull_request && github.event.issue.state != 'closed' && github.actor != 'asyncapi-bot') && (startsWith(github.event.comment.body, '/transfer-issue') || startsWith(github.event.comment.body, '/ti'))}} - runs-on: ubuntu-latest - steps: - - name: Checkout Repository - uses: actions/checkout@v4 - - name: Extract Input - id: extract_step - env: - COMMENT: "${{ github.event.comment.body }}" - run: | - REPO=$(echo "$COMMENT" | awk '{print $2}') - echo "repo=$REPO" >> $GITHUB_OUTPUT - - name: Check Repo - uses: actions/github-script@v7 - with: - github-token: ${{secrets.GH_TOKEN}} - script: | - const r = "${{github.repository}}" - const [owner, repo] = r.split('/') - const repoToMove = process.env.REPO_TO_MOVE - const issue_number = context.issue.number - try { - const {data} = await github.rest.repos.get({ - owner, - repo: repoToMove - }) - }catch (e) { - const body = `${repoToMove} is not a repo under ${owner}. You can only transfer issue to repos that belong to the same organization.` - await github.rest.issues.createComment({ - owner, - repo, - issue_number, - body - }) - process.exit(1) - } - env: - REPO_TO_MOVE: ${{steps.extract_step.outputs.repo}} - - name: Transfer Issue - id: transferIssue - working-directory: ./ - run: | - gh issue transfer "$ISSUE_NUMBER" "asyncapi/$REPO_NAME" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - ISSUE_NUMBER: ${{ github.event.issue.number }} - REPO_NAME: ${{ steps.extract_step.outputs.repo }} diff --git a/.github/workflows/update-docs-on-docs-commits.yml b/.github/workflows/update-docs-on-docs-commits.yml index b6186d4e..66f191de 100644 --- a/.github/workflows/update-docs-on-docs-commits.yml +++ b/.github/workflows/update-docs-on-docs-commits.yml @@ -12,6 +12,9 @@ on: branches: - master +permissions: + contents: read # Just to limit GITHUB_TOKEN as we use GH_TOKEN only + jobs: docs-gen: name: 'Generate docs and create PR' @@ -22,6 +25,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Determine what node version to use # This workflow is from our own org repo and safe to reference by 'master'. uses: asyncapi/.github/.github/actions/get-node-version-from-package-lock@master # //NOSONAR diff --git a/.github/workflows/update-maintainers-trigger.yaml b/.github/workflows/update-maintainers-trigger.yaml index 12fc4abe..0535e39d 100644 --- a/.github/workflows/update-maintainers-trigger.yaml +++ b/.github/workflows/update-maintainers-trigger.yaml @@ -13,6 +13,9 @@ on: - '.github/CODEOWNERS' - '.docs/CODEOWNERS' +permissions: + contents: read # Just to limit GITHUB_TOKEN as we use GH_TOKEN only + jobs: trigger-maintainers-update: name: Trigger updating MAINTAINERS.yaml because of CODEOWNERS change diff --git a/.github/workflows/update-pr.yml b/.github/workflows/update-pr.yml index 2fa19b0a..e09826ab 100644 --- a/.github/workflows/update-pr.yml +++ b/.github/workflows/update-pr.yml @@ -9,12 +9,16 @@ name: Update PR branches from fork +permissions: + contents: read + on: issue_comment: types: [created] jobs: update-pr: + name: Update the fork PR with upstream changes if: > startsWith(github.repository, 'asyncapi/') && github.event.issue.pull_request && @@ -23,6 +27,10 @@ jobs: contains(github.event.comment.body, '/u') ) runs-on: ubuntu-latest + permissions: + issues: write # Required to read PR details and post comments on the PR + pull-requests: write # Required to update the PR branch + contents: read steps: - name: Get Pull Request Details id: pr @@ -40,7 +48,7 @@ jobs: }); // If the PR has conflicts, we don't want to update it - const updateable = ['behind', 'blocked', 'unknown', 'draft', 'clean'].includes(pr.mergeable_state); + const updateable = ['behind', 'blocked', 'unknown', 'draft', 'clean', 'unstable'].includes(pr.mergeable_state); console.log(`PR #${prNumber} is ${pr.mergeable_state} and is ${updateable ? 'updateable' : 'not updateable'}`); core.setOutput('updateable', updateable); @@ -54,6 +62,8 @@ jobs: - name: Update the Pull Request if: steps.pr.outputs.updateable == 'true' uses: actions/github-script@v7 + env: + PR_DETAILS: ${{ steps.pr.outputs.result }} with: github-token: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }} script: | @@ -65,7 +75,7 @@ jobs: } }`; - const pr_details = ${{ steps.pr.outputs.result }}; + const pr_details = JSON.parse(process.env.PR_DETAILS); try { const { data } = await github.graphql(mutation, { diff --git a/.github/workflows/welcome-first-time-contrib.yml b/.github/workflows/welcome-first-time-contrib.yml index 2614d8de..0501a7ad 100644 --- a/.github/workflows/welcome-first-time-contrib.yml +++ b/.github/workflows/welcome-first-time-contrib.yml @@ -4,18 +4,26 @@ name: Welcome first time contributors on: - pull_request_target: + pull_request: types: - opened issues: types: - opened +permissions: + issues: read # Required to check if the issue is the user's first contribution + pull-requests: read # Required to check if the pull request is the user's first contribution + jobs: welcome: name: Post welcome message - if: ${{ !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor) }} + if: ${{ !contains(fromJson('["asyncapi-bot", "dependabot[bot]", "dependabot-preview[bot]", "allcontributors[bot]"]'), github.actor) }} # zizmor: ignore[obfuscation] runs-on: ubuntu-latest + permissions: + contents: read # Required to read repository data for checking if it's the user's first contribution + issues: write # Required to post welcome message on issues + pull-requests: write # Required to post welcome message on pull requests steps: - uses: actions/github-script@v7 with: diff --git a/PROGRESS.md b/PROGRESS.md new file mode 100644 index 00000000..98f3c404 --- /dev/null +++ b/PROGRESS.md @@ -0,0 +1,57 @@ +## Github Workflow Security Tightening Progress + +### Github workflows + +- [ ] [zizmor.yml](zizmor.yml) +- [ ] [add-good-first-issue-labels.yml](.github/workflows/add-good-first-issue-labels.yml) +- [ ] [automerge-for-humans-add-ready-to-merge-or-do-not-merge-label.yml](.github/workflows/automerge-for-humans-add-ready-to-merge-or-do-not-merge-label.yml) +- [ ] [automerge-for-humans-merging.yml](.github/workflows/automerge-for-humans-merging.yml) +- [ ] [automerge-for-humans-remove-ready-to-merge-label-on-edit.yml](.github/workflows/automerge-for-humans-remove-ready-to-merge-label-on-edit.yml) +- [ ] [automerge-orphans.yml](.github/workflows/automerge-orphans.yml) +- [ ] [automerge.yml](.github/workflows/automerge.yml) +- [ ] [autoupdate.yml](.github/workflows/autoupdate.yml) +- [ ] [bounty-program-commands.yml](.github/workflows/bounty-program-commands.yml) +- [ ] [bump.yml](.github/workflows/bump.yml) +- [ ] [global-remover.yml](.github/workflows/global-remover.yml) +- [ ] [global-replicator.yml](.github/workflows/global-replicator.yml) +- [ ] [help-command.yml](.github/workflows/help-command.yml) +- [ ] [if-docker-pr-testing.yml](.github/workflows/if-docker-pr-testing.yml) +- [ ] [if-go-pr-testing.yml](.github/workflows/if-go-pr-testing.yml) +- [ ] [if-nodejs-pr-testing.yml](.github/workflows/if-nodejs-pr-testing.yml) +- [ ] [if-nodejs-release.yml](.github/workflows/if-nodejs-release.yml) +- [x] [if-nodejs-version-bump.yml](.github/workflows/if-nodejs-version-bump.yml) GITHUB_TOKEN used instead of GH_TOKEN and permissions added to the workflow and the job. [Test PR](https://github.com/asyncapi-actions-test/asyncapi-github/pull/8) and [Test Workflow Run](https://github.com/asyncapi-actions-test/asyncapi-github/actions/runs/23110097695). +- [x] [issues-prs-notifications.yml](.github/workflows/issues-prs-notifications.yml) No permissions needed since the workflow only reads context data. Pull request target not a big problem but can have spam notifications or phishing links. +- [x] [lint-pr-title.yml](.github/workflows/lint-pr-title.yml) - Using GITHUB_TOKEN instead of GH_TOKEN and added permissions to the workflow and the job. [Test PR](https://github.com/asyncapi-actions-test/asyncapi-github/pull/7#issuecomment-4045958191) and [Test Workflow Run](https://github.com/asyncapi-actions-test/asyncapi-github/actions/runs/22999531548/job/66780332833?pr=7) +- [x] [notify-tsc-members-mention.yml](.github/workflows/notify-tsc-members-mention.yml) - pull_request_target not a big issue for this one. Mailchimp script needs to be tightened though. +- [x] [please-take-a-look-command.yml](.github/workflows/please-take-a-look-command.yml) - permissions added to the workflow. [Test PR](https://github.com/asyncapi-actions-test/asyncapi-github/pull/3#issuecomment-4031325220) and [Test Workflow Run](https://github.com/asyncapi-actions-test/asyncapi-github/actions/runs/22904380860/job/66458939263) +- [x] [release-announcements.yml](.github/workflows/release-announcements.yml) Just added content read permissions and removed checkout persist credentials. +- [x] [stale-issues-prs.yml](.github/workflows/stale-issues-prs.yml) - Permissions added to the workflow and the job. [Test Issue](https://github.com/asyncapi-actions-test/asyncapi-github/issues/2#issuecomment-4029175489) and [Test Workflow Run](https://github.com/asyncapi-actions-test/asyncapi-github/actions/runs/22891096690) +- [x] [transfer-issue.yml](.github/workflows/transfer-issue.yml) Removed that as it was not working right now. +- [x] [update-docs-on-docs-commits.yml](.github/workflows/update-docs-on-docs-commits.yml) - Just added content read permissions since the workflow uses GH_TOKEN and removed checkout persist credentials. +- [x] [update-maintainers-trigger.yaml](.github/workflows/update-maintainers-trigger.yaml) Didn't do too much, just added content read permissions since the workflow uses GH_TOKEN. +- [x] [update-pr.yml](.github/workflows/update-pr.yml) - [Test PR](https://github.com/asyncapi-actions-test/asyncapi-github/pull/5) +- [ ] [validate-workflow-schema.yml](.github/workflows/validate-workflow-schema.yml) +- [x] [welcome-first-time-contrib.yml](.github/workflows/welcome-first-time-contrib.yml) - permissions tightened and GH_TOKEN -> GITHUB_TOKEN so that pull_request_target is no longer required. [Test Issue](https://github.com/asyncapi-actions-test/asyncapi-github/issues/2) + +### Scripts + +- [ ] [Mailchimp scripts](.github/workflows/scripts/mailchimp/) + - htmlContent.js + - index.js + - package.json + - package-lock.json + +### Actions + +- [ ] [get-node-version-from-package-lock](.github/actions/get-node-version-from-package-lock/) + - action.yml + - README.md +- [ ] [slackify-markdown](.github/actions/slackify-markdown/) + - action.yml + + +## Add actions-permission monitoring to the issues. + +## Still need to verify + +- [ ] [issues-prs-notifications.yml](.github/workflows/issues-prs-notifications.yml) \ No newline at end of file diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 00000000..cc2a45f7 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,13 @@ +rules: + excessive-permissions: + disable: false + dangerous-triggers: + disable: false + unpinned-uses: + config: + policies: + actions/checkout: ref-pin + actions/setup-node: ref-pin + actions/github-script: ref-pin + asyncapi/.github/*: any + "*": hash-pin