actions/github-script
1
0
Fork 0
mirror of https://github.com/actions/github-script.git synced 2025-12-08 08:06:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Define permissions in workflows and update actions

Browse Source
This commit is contained in:
Josh Gross
2025-01-28 16:50:07 -05:00
parent c94e1c45ff
commit 19e58d8525
10 changed files with 41 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/actions/install-dependencies/action.yml vendored
View File

@@ -3,7 +3,7 @@ description: 'Set up node and install dependencies'
runs: runs:
using: 'composite' using: 'composite'
steps: steps:
- uses: actions/setup-node@v3 - uses: actions/setup-node@v4
with: with:
node-version: '20.x' node-version: '20.x'
cache: npm cache: npm

5
.github/workflows/check-dist.yml vendored
View File

@@ -13,12 +13,15 @@ on:
pull_request: pull_request:
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
check-dist: check-dist:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- uses: ./.github/actions/install-dependencies - uses: ./.github/actions/install-dependencies

5
.github/workflows/ci.yml vendored
View File

@@ -6,11 +6,14 @@ on:
pull_request: pull_request:
branches: [main] branches: [main]
permissions:
contents: read
jobs: jobs:
ci: ci:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- uses: ./.github/actions/install-dependencies - uses: ./.github/actions/install-dependencies
- run: npm run style:check - run: npm run style:check
- run: npm test - run: npm test

8
.github/workflows/codeql-analysis.yml vendored
View File

@@ -38,11 +38,11 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v3 uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v2 uses: github/codeql-action/init@v3
with: with:
languages: ${{ matrix.language }} languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file. # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below) # If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild - name: Autobuild
uses: github/codeql-action/autobuild@v2 uses: github/codeql-action/autobuild@v3
# Command-line programs to run using the OS shell. # Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -69,4 +69,4 @@ jobs:
# ./location_of_script_within_repo/buildscript.sh # ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2 uses: github/codeql-action/analyze@v3

17
.github/workflows/integration.yml vendored
View File

@@ -6,12 +6,15 @@ on:
pull_request: pull_request:
branches: [main] branches: [main]
permissions:
contents: read
jobs: jobs:
test-return: test-return:
name: 'Integration test: return' name: 'Integration test: return'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- id: output-set - id: output-set
uses: ./ uses: ./
with: with:
@@ -31,7 +34,7 @@ jobs:
name: 'Integration test: relative-path require' name: 'Integration test: relative-path require'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- id: relative-require - id: relative-require
uses: ./ uses: ./
with: with:
@@ -49,7 +52,7 @@ jobs:
name: 'Integration test: npm package require' name: 'Integration test: npm package require'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- uses: ./.github/actions/install-dependencies - uses: ./.github/actions/install-dependencies
- id: npm-require - id: npm-require
uses: ./ uses: ./
@@ -69,7 +72,7 @@ jobs:
name: 'Integration test: GraphQL previews option' name: 'Integration test: GraphQL previews option'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- uses: ./.github/actions/install-dependencies - uses: ./.github/actions/install-dependencies
- id: previews-default - id: previews-default
name: Default previews not set name: Default previews not set
@@ -122,7 +125,7 @@ jobs:
name: 'Integration test: user-agent option' name: 'Integration test: user-agent option'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- uses: ./.github/actions/install-dependencies - uses: ./.github/actions/install-dependencies
- id: user-agent-default - id: user-agent-default
name: Default user-agent not set name: Default user-agent not set
@@ -179,7 +182,7 @@ jobs:
name: "Integration test: debug option (runner.debug mode ${{ matrix.environment && 'enabled' || 'disabled' }})" name: "Integration test: debug option (runner.debug mode ${{ matrix.environment && 'enabled' || 'disabled' }})"
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- uses: ./.github/actions/install-dependencies - uses: ./.github/actions/install-dependencies
- id: debug-default - id: debug-default
name: Default debug not set name: Default debug not set
@@ -253,7 +256,7 @@ jobs:
name: 'Integration test: base-url option' name: 'Integration test: base-url option'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- uses: ./.github/actions/install-dependencies - uses: ./.github/actions/install-dependencies
- id: base-url-default - id: base-url-default

5
.github/workflows/licensed.yml vendored
View File

@@ -8,12 +8,15 @@ on:
branches: branches:
- main - main
permissions:
contents: read
jobs: jobs:
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
name: Check licenses name: Check licenses
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
with: with:
fetch-depth: 0 # prefer to use a full fetch for licensed workflows fetch-depth: 0 # prefer to use a full fetch for licensed workflows
# https://github.com/jonabc/setup-licensed/releases/tag/v1.1.1 # https://github.com/jonabc/setup-licensed/releases/tag/v1.1.1

2
.github/workflows/publish-immutable-actions.yml vendored
View File

@@ -17,4 +17,4 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Publish - name: Publish
id: publish id: publish
uses: actions/publish-immutable-action@0.0.3 uses: actions/publish-immutable-action@0.0.4

12
.github/workflows/pull-request-test.yml vendored
View File

@@ -5,11 +5,15 @@ on:
branches: [main] branches: [main]
types: [opened, synchronize] types: [opened, synchronize]
permissions:
contents: read
pull-requests: write
jobs: jobs:
pull-request-test: pull-request-test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- uses: ./ - uses: ./
with: with:
script: | script: |
@@ -20,9 +24,9 @@ jobs:
issue_number: context.payload.number, issue_number: context.payload.number,
}) })
// Find any comment already made by the bot. // Find any comment already made by the bot.
const botComment = comments.find(comment => comment.user.id === 41898282) const botComment = comments.find(comment => comment.user.id === 41898282)
const commentBody = "Hello from actions/github-script! (${{ github.sha }})" const commentBody = "Hello from actions/github-script! (${{ github.sha }})"
if (context.payload.pull_request.head.repo.full_name !== 'actions/github-script') { if (context.payload.pull_request.head.repo.full_name !== 'actions/github-script') {
console.log('Not attempting to write comment on PR from fork'); console.log('Not attempting to write comment on PR from fork');

31
.github/workflows/stale.yml vendored
View File

@@ -1,31 +0,0 @@
name: Stale Issues & PRs
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
jobs:
mark_stale:
name: Mark issues and PRs as stale
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
exempt-issue-labels: Not Stale
exempt-pr-labels: Not Stale
stale-issue-message: >
This issue is stale because it has been open for 60 days with no
activity. Remove the "Stale" label or comment on the issue, or it
will be closed in 7 days.
stale-pr-message: >
This pull request is stale because it has been open for 60 days
with no activity. Remove the "Stale" label or comment on the pull
request, or it will be closed in 7 days.
close-issue-message: >
This issue has been marked as stale and closed due to no activity
on it.
close-pr-message: >
This pull request has been marked as stale and closed due to no
activity on it.

10
README.md
View File

@@ -305,7 +305,7 @@ jobs:
echo-input: echo-input:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- uses: actions/github-script@v7 - uses: actions/github-script@v7
with: with:
script: | script: |
@@ -343,7 +343,7 @@ jobs:
echo-input: echo-input:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- uses: actions/github-script@v7 - uses: actions/github-script@v7
env: env:
SHA: '${{env.parentSHA}}' SHA: '${{env.parentSHA}}'
@@ -381,8 +381,8 @@ jobs:
echo-input: echo-input:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- uses: actions/setup-node@v3 - uses: actions/setup-node@v4
with: with:
node-version: '20.x' node-version: '20.x'
- run: npm ci - run: npm ci
@@ -417,7 +417,7 @@ jobs:
print-stuff: print-stuff:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- uses: actions/github-script@v7 - uses: actions/github-script@v7
with: with:
script: | script: |