From b1c0c9d40edcf1877698afb865f46c7f498ce7d7 Mon Sep 17 00:00:00 2001
From: Jacek Kowalski <Jacek@jacekk.info>
Date: Thu, 27 Apr 2023 20:49:29 +0000
Subject: [PATCH] GitHub Actions: limit permissions of GITHUB_TOKEN
---
.github/workflows/update-deps.yml | 21 ++++++++++++++-------
1 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/.github/workflows/update-deps.yml b/.github/workflows/update-deps.yml
index 980fc8c..06beead 100644
--- a/.github/workflows/update-deps.yml
+++ b/.github/workflows/update-deps.yml
@@ -5,10 +5,14 @@
name: Update dependencies
+permissions: {}
+
jobs:
update:
name: Update dependencies
runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write
steps:
- id: checkout
name: Checkout code
@@ -16,7 +20,7 @@
- id: java
name: Install Java and Maven
- uses: actions/setup-java@v2
+ uses: actions/setup-java@v3
with:
distribution: zulu
java-version: 11
@@ -29,20 +33,23 @@
- id: vars
name: Get project variables
run: |
- echo -n "::set-output name=versionUpdated::"
- [ -f pom.xml.versionsBackup ] && echo 1 || echo 0
- echo -n "::set-output name=keycloakVersion::"
- mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$'
+ if [ -f pom.xml.versionsBackup ]; then
+ echo "versionUpdated=1"
+ else
+ echo "versionUpdated=0"
+ fi >> $GITHUB_OUTPUT
+ echo -n "keycloakVersion=" >> $GITHUB_OUTPUT
+ mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$' >> $GITHUB_OUTPUT
- id: check_branch
name: Check if branch exists
run: |
- echo -n "::set-output name=commit::"
+ echo -n "commit=" >> $GITHUB_OUTPUT
if [ '${{ steps.vars.outputs.versionUpdated }}' == '1' ]; then
git ls-remote origin 'feature/keycloak-update-${{ steps.vars.outputs.keycloakVersion }}'
else
git rev-parse HEAD
- fi
+ fi >> $GITHUB_OUTPUT
- id: reset_repo
name: Reset repository
--
Gitblit v1.10.0