From b1c0c9d40edcf1877698afb865f46c7f498ce7d7 Mon Sep 17 00:00:00 2001 From: Jacek Kowalski <Jacek@jacekk.info> Date: Thu, 27 Apr 2023 20:49:29 +0000 Subject: [PATCH] GitHub Actions: limit permissions of GITHUB_TOKEN --- .github/workflows/update-deps.yml | 21 ++++++++++++++------- 1 files changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/update-deps.yml b/.github/workflows/update-deps.yml index 980fc8c..06beead 100644 --- a/.github/workflows/update-deps.yml +++ b/.github/workflows/update-deps.yml @@ -5,10 +5,14 @@ name: Update dependencies +permissions: {} + jobs: update: name: Update dependencies runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - id: checkout name: Checkout code @@ -16,7 +20,7 @@ - id: java name: Install Java and Maven - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: distribution: zulu java-version: 11 @@ -29,20 +33,23 @@ - id: vars name: Get project variables run: | - echo -n "::set-output name=versionUpdated::" - [ -f pom.xml.versionsBackup ] && echo 1 || echo 0 - echo -n "::set-output name=keycloakVersion::" - mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$' + if [ -f pom.xml.versionsBackup ]; then + echo "versionUpdated=1" + else + echo "versionUpdated=0" + fi >> $GITHUB_OUTPUT + echo -n "keycloakVersion=" >> $GITHUB_OUTPUT + mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$' >> $GITHUB_OUTPUT - id: check_branch name: Check if branch exists run: | - echo -n "::set-output name=commit::" + echo -n "commit=" >> $GITHUB_OUTPUT if [ '${{ steps.vars.outputs.versionUpdated }}' == '1' ]; then git ls-remote origin 'feature/keycloak-update-${{ steps.vars.outputs.keycloakVersion }}' else git rev-parse HEAD - fi + fi >> $GITHUB_OUTPUT - id: reset_repo name: Reset repository -- Gitblit v1.9.1