TuxCoding/FastLogin
1
0
Fork 1
mirror of https://github.com/TuxCoding/FastLogin.git synced 2025-07-31 19:24:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

Enforce stricter permissions on GitHub actions

Browse Source
This commit is contained in:
games647
2024-05-06 11:18:48 +02:00
parent 9fabc69ba9
commit 3473611b90
2 changed files with 23 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/codeql-analysis.yml vendored
View File

@@ -25,8 +25,7 @@ jobs:
if: ${{ github.event.workflow_run.conclusion == 'success' }} if: ${{ github.event.workflow_run.conclusion == 'success' }}
permissions: permissions:
actions: read # Only allow write for security, then all others default to read only
contents: read
security-events: write security-events: write
strategy: strategy:

24
.github/workflows/maven.yml vendored
View File

@@ -21,7 +21,8 @@ jobs:
# Environment image - always use the newest OS # Environment image - always use the newest OS
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: write # With at least one permission given, all default to read
contents: read
# Run steps # Run steps
steps: steps:
@@ -42,6 +43,25 @@ jobs:
# ignore snapshot updates, because they are likely to have breaking changes, enforce checksums # ignore snapshot updates, because they are likely to have breaking changes, enforce checksums
run: mvn test --batch-mode --threads 2.0C --no-snapshot-updates --strict-checksums --file pom.xml run: mvn test --batch-mode --threads 2.0C --no-snapshot-updates --strict-checksums --file pom.xml
- name: Update dependency graph dependency:
runs-on: ubuntu-latest
permissions:
# Write only necessary for dependency submission all others then default to read
contents: write
# Run steps
steps:
# Pull changes
- uses: actions/checkout@v4
# Setup Java
- name: Set up JDK
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version-file: '.java-version'
cache: 'maven'
- name: Submit Dependency Snapshot
if: ${{ github.event_name == 'push' }} if: ${{ github.event_name == 'push' }}
uses: advanced-security/maven-dependency-submission-action@v4.0.3 uses: advanced-security/maven-dependency-submission-action@v4.0.3