mifr/subsurface
1
0
Fork 0
mirror of https://github.com/subsurface/subsurface.git synced 2025-02-19 22:16:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Reduce attack vector in artifact-links.yml

Browse source 
Pin action to git hash, https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash

Restrict permissions for the GITHUB_TOKEN, https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Signed-off-by: probonopd <probonopd@users.noreply.github.com>
This commit is contained in:
probonopd 2024-07-27 12:16:38 +02:00 committed by Michael Keller
parent aadca7eeae
commit 3c8ce37299
1 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.github/workflows/artifact-links.yml vendored
View file

@ -10,10 +10,15 @@ jobs:
name: Add artifact links to PR and issues name: Add artifact links to PR and issues
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
issues: write
pull-requests: write
actions: read
steps: steps:
- name: Add artifact links to PR and issues - name: Add artifact links to PR and issues
if: github.event.workflow_run.event == 'pull_request' if: github.event.workflow_run.event == 'pull_request'
uses: tonyhallett/artifacts-url-comments@v1.1.0 uses: tonyhallett/artifacts-url-comments@0965ff1a7ae03c5c1644d3c30f956effea4e05ef # v1.1.0
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with: with: