From b1c0c9d40edcf1877698afb865f46c7f498ce7d7 Mon Sep 17 00:00:00 2001
From: Jacek Kowalski <Jacek@jacekk.info>
Date: Thu, 27 Apr 2023 20:49:29 +0000
Subject: [PATCH] GitHub Actions: limit permissions of GITHUB_TOKEN

---
 .github/workflows/test.yml |   22 ++++++++++++----------
 1 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 6c044b4..3f51b24 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -3,6 +3,8 @@
 
 name: Test
 
+permissions: {}
+
 jobs:
   build:
     name: Build
@@ -14,7 +16,7 @@
 
       - id: java
         name: Install Java and Maven
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v3
         with:
           distribution: zulu
           java-version: 11
@@ -22,14 +24,14 @@
       - id: vars
         name: Get project variables
         run: |
-          echo -n "::set-output name=keycloakVersion::"
-          mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$'
-          echo -n "::set-output name=artifactId::"
-          mvn -q help:evaluate -Dexpression=project.artifactId -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$'
-          echo -n "::set-output name=projectName::"
-          mvn -q help:evaluate -Dexpression=project.name -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z :,.-]+$'
-          echo -n "::set-output name=projectVersion::"
-          mvn -q help:evaluate -Dexpression=project.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$'
+          echo -n "keycloakVersion=" >> $GITHUB_OUTPUT
+          mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$' >> $GITHUB_OUTPUT
+          echo -n "artifactId=" >> $GITHUB_OUTPUT
+          mvn -q help:evaluate -Dexpression=project.artifactId -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$' >> $GITHUB_OUTPUT
+          echo -n "projectName=" >> $GITHUB_OUTPUT
+          mvn -q help:evaluate -Dexpression=project.name -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z :,.-]+$' >> $GITHUB_OUTPUT
+          echo -n "projectVersion=" >> $GITHUB_OUTPUT
+          mvn -q help:evaluate -Dexpression=project.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$' >> $GITHUB_OUTPUT
 
       - name: Build project
         run: |
@@ -55,7 +57,7 @@
     steps:
       - id: checkout
         name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - id: download_artifact
         name: Download artifact

--
Gitblit v1.9.1