enoch/armbian-build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[StepSecurity] ci: Harden GitHub Actions (#9356)

Browse Source 
* [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

* imprement coderabbit recommendations

---------

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: Igor Velkov <325961+iav@users.noreply.github.com>
This commit is contained in:
StepSecurity Bot 2026-03-05 04:47:09 -08:00 committed by GitHub
parent ea547d6e0a
commit c27048a57d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 37 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/data-sync-board-list.yml vendored
View File

@ -7,6 +7,9 @@ on:
- "config/boards/*.*" - "config/boards/*.*"
branches: [main] branches: [main]
permissions:
contents: read
jobs: jobs:
update-board-list-dispatch: update-board-list-dispatch:
name: Send dispatch name: Send dispatch

3
.github/workflows/data-sync-labels.yml vendored
View File

@ -12,6 +12,9 @@ on:
paths: paths:
- ".github/labels.yml" - ".github/labels.yml"
permissions:
contents: read
jobs: jobs:
labeler: labeler:
permissions: permissions:

3
.github/workflows/infrastructure-dispatch-to-fork.yml vendored
View File

@ -8,6 +8,9 @@ on:
pull_request: pull_request:
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
dispatch-on-forked-repo: dispatch-on-forked-repo:
name: 📢 Run repository dispatch on fork name: 📢 Run repository dispatch on fork

3
.github/workflows/maintenance-announce-merge.yml vendored
View File

@ -4,6 +4,9 @@ on:
push: push:
branches: [ main ] branches: [ main ]
permissions:
contents: read
jobs: jobs:
announcepush: announcepush:
# Do not run this workflow in forks # Do not run this workflow in forks

7
.github/workflows/maintenance-announce-pr.yml vendored
View File

@ -5,11 +5,14 @@ on:
pull_request: pull_request:
types: [ labeled ] types: [ labeled ]
permissions:
contents: read
jobs: jobs:
Announce: Announce:
permissions: permissions:
pull-requests: read pull-requests: read
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: ${{ github.repository == 'armbian/build' && github.event.label.id == '6210849975' }} if: ${{ github.repository == 'armbian/build' && github.event.label.id == '6210849975' }}
steps: steps:
@ -22,4 +25,4 @@ jobs:
curl -i -H "Accept: application/json" -H "Content-Type: application/json" -X POST --data \ curl -i -H "Accept: application/json" -H "Content-Type: application/json" -X POST --data \
"{\"username\": \"Github\", \"avatar_url\": \"${{ secrets.AVATARURL }}\", \"content\": \"\ "{\"username\": \"Github\", \"avatar_url\": \"${{ secrets.AVATARURL }}\", \"content\": \"\
:arrow_heading_up: **Pull request** to [$GITHUB_REPOSITORY](<$GITHUB_SERVER_URL/$GITHUB_REPOSITORY>) by [$GITHUB_ACTOR](<$GITHUB_SERVER_URL/$GITHUB_ACTOR>) - **Please review!** \ :arrow_heading_up: **Pull request** to [$GITHUB_REPOSITORY](<$GITHUB_SERVER_URL/$GITHUB_REPOSITORY>) by [$GITHUB_ACTOR](<$GITHUB_SERVER_URL/$GITHUB_ACTOR>) - **Please review!** \
:point_right: [Link](<$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/pull/${{github.event.pull_request.number}}>): *$(git show -s --format=%s)*\"}" ${{ secrets.WEBHOOKURL }} :point_right: [Link](<$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/pull/${{github.event.pull_request.number}}>): *$(git show -s --format=%s)*\"}" ${{ secrets.WEBHOOKURL }}

3
.github/workflows/maintenance-check-board-assets.yml vendored
View File

@ -13,6 +13,9 @@ env:
BOARD_IMAGES_DIR: "board-images" BOARD_IMAGES_DIR: "board-images"
VENDOR_LOGOS_DIR: "board-vendor-logos" VENDOR_LOGOS_DIR: "board-vendor-logos"
permissions:
contents: read
jobs: jobs:
Check: Check:
name: "Verify assets for newly added boards" name: "Verify assets for newly added boards"

3
.github/workflows/maintenance-clean-workflow-logs.yml vendored
View File

@ -15,6 +15,9 @@ env:
SCHEDULED_RUNS_OLDER_THAN: "10" SCHEDULED_RUNS_OLDER_THAN: "10"
SCHEDULED_RUNS_TO_KEEP: "0" SCHEDULED_RUNS_TO_KEEP: "0"
permissions:
contents: read
jobs: jobs:
clean-logs: clean-logs:
runs-on: ubuntu-latest runs-on: ubuntu-latest

6
.github/workflows/maintenance-label-on-approval.yml vendored
View File

@ -4,11 +4,15 @@ on:
workflows: ["Maintenance: Listen PR review"] workflows: ["Maintenance: Listen PR review"]
types: [completed] types: [completed]
permissions:
contents: read
jobs: jobs:
label: label:
if: ${{ github.event.workflow_run.conclusion == 'success' }} if: ${{ github.event.workflow_run.conclusion == 'success' }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
actions: read
contents: read contents: read
issues: write issues: write
pull-requests: write pull-requests: write
@ -51,4 +55,4 @@ jobs:
} catch (e) { } catch (e) {
core.warning(`Could not remove label "${name}": ${e.message}`); core.warning(`Could not remove label "${name}": ${e.message}`);
} }
} }

3
.github/workflows/maintenance-listen-review.yml vendored
View File

@ -3,6 +3,9 @@ on:
pull_request_review: pull_request_review:
types: [submitted] types: [submitted]
permissions:
contents: read
jobs: jobs:
ping: ping:
if: ${{ github.event.review.state == 'approved' }} if: ${{ github.event.review.state == 'approved' }}

3
.github/workflows/maintenance-welcome-issue.yml vendored
View File

@ -4,6 +4,9 @@ on:
issues: issues:
types: opened types: opened
permissions:
contents: read
jobs: jobs:
welcome-first-time-contributor: welcome-first-time-contributor:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/maintenance-welcome-pr.yml vendored
View File

@ -4,6 +4,9 @@ on:
pull_request_target: pull_request_target:
types: opened types: opened
permissions:
contents: read
jobs: jobs:
welcome-first-time-contributor: welcome-first-time-contributor:
runs-on: ubuntu-latest runs-on: ubuntu-latest