neil/cache
1
0
Fork 0
mirror of https://github.com/actions/cache.git synced 2026-01-30 07:54:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1699 from actions/Link-/fix-workflow-permissions

Browse Source 
Fix workflow permissions and cleanup workflow names / formatting
This commit is contained in:
Bassem Dghaidi 2026-01-29 11:31:19 +01:00 committed by GitHub
commit cb6ea63971
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 58 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/check-dist.yml vendored
View File

@ -1,4 +1,4 @@
name: Check dist/ name: Check dist content
on: on:
push: push:
@ -11,6 +11,9 @@ on:
- '**.md' - '**.md'
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
call-check-dist: call-check-dist:
name: Check dist/ name: Check dist/

1
.github/workflows/close-inactive-issues.yml vendored
View File

@ -1,4 +1,5 @@
name: Close inactive issues name: Close inactive issues
on: on:
schedule: schedule:
- cron: "30 8 * * *" - cron: "30 8 * * *"

11
.github/workflows/codeql.yml vendored
View File

@ -1,4 +1,4 @@
name: "Code scanning - action" name: Code scanning
on: on:
push: push:
@ -6,15 +6,14 @@ on:
schedule: schedule:
- cron: '0 19 * * 0' - cron: '0 19 * * 0'
permissions:
contents: read
security-events: write
jobs: jobs:
CodeQL-Build: CodeQL-Build:
# CodeQL runs on ubuntu-latest, windows-latest, and macos-latest # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
# required for all workflows
security-events: write
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v5 uses: actions/checkout@v5

19
.github/workflows/issue-opened-workflow.yml vendored
View File

@ -1,16 +1,21 @@
name: Assign issue name: Assign issue
on: on:
issues: issues:
types: [opened] types: [opened]
permissions:
issues: write
jobs: jobs:
run-action: run-action:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Get current oncall - name: Get current oncall
id: oncall id: oncall
run: | run: |
echo "CURRENT=$(curl --request GET 'https://api.pagerduty.com/oncalls?include[]=users&schedule_ids[]=P5VG2BX&earliest=true' --header 'Authorization: Token token=${{ secrets.PAGERDUTY_TOKEN }}' --header 'Accept: application/vnd.pagerduty+json;version=2' --header 'Content-Type: application/json' | jq -r '.oncalls[].user.name')" >> $GITHUB_OUTPUT echo "CURRENT=$(curl --request GET 'https://api.pagerduty.com/oncalls?include[]=users&schedule_ids[]=P5VG2BX&earliest=true' --header 'Authorization: Token token=${{ secrets.PAGERDUTY_TOKEN }}' --header 'Accept: application/vnd.pagerduty+json;version=2' --header 'Content-Type: application/json' | jq -r '.oncalls[].user.name')" >> $GITHUB_OUTPUT
- name: add_assignees - name: add_assignees
run: | run: |
curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/issues/${{ github.event.issue.number}}/assignees -d '{"assignees":["${{steps.oncall.outputs.CURRENT}}"]}' curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/issues/${{ github.event.issue.number}}/assignees -d '{"assignees":["${{steps.oncall.outputs.CURRENT}}"]}'

7
.github/workflows/licensed.yml vendored
View File

@ -1,6 +1,4 @@
name: Licensed name: License check
permissions:
contents: read
on: on:
push: push:
@ -11,6 +9,9 @@ on:
- main - main
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
validate-cached-dependency-records: validate-cached-dependency-records:
runs-on: ubuntu-latest runs-on: ubuntu-latest

27
.github/workflows/pr-opened-workflow.yml vendored
View File

@ -1,20 +1,25 @@
name: Add Reviewer PR name: Assign pull request reviewer
on: on:
pull_request_target: pull_request_target:
types: [opened] types: [opened]
permissions:
pull-requests: write
jobs: jobs:
run-action: run-action:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Get current oncall - name: Get current oncall
id: oncall id: oncall
run: | run: |
echo "CURRENT=$(curl --request GET 'https://api.pagerduty.com/oncalls?include[]=users&schedule_ids[]=P5VG2BX&earliest=true' --header 'Authorization: Token token=${{ secrets.PAGERDUTY_TOKEN }}' --header 'Accept: application/vnd.pagerduty+json;version=2' --header 'Content-Type: application/json' | jq -r '.oncalls[].user.name')" >> $GITHUB_OUTPUT echo "CURRENT=$(curl --request GET 'https://api.pagerduty.com/oncalls?include[]=users&schedule_ids[]=P5VG2BX&earliest=true' --header 'Authorization: Token token=${{ secrets.PAGERDUTY_TOKEN }}' --header 'Accept: application/vnd.pagerduty+json;version=2' --header 'Content-Type: application/json' | jq -r '.oncalls[].user.name')" >> $GITHUB_OUTPUT
- name: Request Review - name: Request Review
run: | run: |
curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/pulls/${{ github.event.pull_request.number}}/requested_reviewers -d '{"reviewers":["${{steps.oncall.outputs.CURRENT}}"]}' curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/pulls/${{ github.event.pull_request.number}}/requested_reviewers -d '{"reviewers":["${{steps.oncall.outputs.CURRENT}}"]}'
- name: Add Assignee - name: Add Assignee
run: | run: |
curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/issues/${{ github.event.pull_request.number}}/assignees -d '{"assignees":["${{steps.oncall.outputs.CURRENT}}"]}' curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN}}" https://api.github.com/repos/${{github.repository}}/issues/${{ github.event.pull_request.number}}/assignees -d '{"assignees":["${{steps.oncall.outputs.CURRENT}}"]}'

12
.github/workflows/publish-immutable-actions.yml vendored
View File

@ -1,17 +1,17 @@
name: 'Publish Immutable Action Version' name: Publish immutable action
on: on:
release: release:
types: [released] types: [released]
permissions:
contents: read
id-token: write
packages: write
jobs: jobs:
publish: publish:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: write
steps: steps:
- name: Checking out - name: Checking out
uses: actions/checkout@v5 uses: actions/checkout@v5

2
.github/workflows/release-new-action-version.yml vendored
View File

@ -1,4 +1,5 @@
name: Release new action version name: Release new action version
on: on:
release: release:
types: [released] types: [released]
@ -10,6 +11,7 @@ on:
env: env:
TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }}
permissions: permissions:
contents: write contents: write

5
.github/workflows/workflow.yml vendored
View File

@ -10,6 +10,9 @@ on:
- main - main
- releases/** - releases/**
permissions:
contents: read
jobs: jobs:
# Build and unit test # Build and unit test
build: build:
@ -57,6 +60,7 @@ jobs:
path: | path: |
test-cache test-cache
~/test-cache ~/test-cache
test-restore: test-restore:
needs: test-save needs: test-save
strategy: strategy:
@ -104,6 +108,7 @@ jobs:
with: with:
key: test-proxy-${{ github.run_id }} key: test-proxy-${{ github.run_id }}
path: test-cache path: test-cache
test-proxy-restore: test-proxy-restore:
needs: test-proxy-save needs: test-proxy-save
runs-on: ubuntu-latest runs-on: ubuntu-latest