From b1c0c9d40edcf1877698afb865f46c7f498ce7d7 Mon Sep 17 00:00:00 2001
From: Jacek Kowalski <Jacek@jacekk.info>
Date: Thu, 27 Apr 2023 20:49:29 +0000
Subject: [PATCH] GitHub Actions: limit permissions of GITHUB_TOKEN

---
 .github/workflows/update-deps.yml |   21 ++++++++++++++-------
 1 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/update-deps.yml b/.github/workflows/update-deps.yml
index 980fc8c..06beead 100644
--- a/.github/workflows/update-deps.yml
+++ b/.github/workflows/update-deps.yml
@@ -5,10 +5,14 @@
 
 name: Update dependencies
 
+permissions: {}
+
 jobs:
   update:
     name: Update dependencies
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - id: checkout
         name: Checkout code
@@ -16,7 +20,7 @@
 
       - id: java
         name: Install Java and Maven
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v3
         with:
           distribution: zulu
           java-version: 11
@@ -29,20 +33,23 @@
       - id: vars
         name: Get project variables
         run: |
-          echo -n "::set-output name=versionUpdated::"
-          [ -f pom.xml.versionsBackup ] && echo 1 || echo 0
-          echo -n "::set-output name=keycloakVersion::"
-          mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$'
+          if [ -f pom.xml.versionsBackup ]; then
+            echo "versionUpdated=1"
+          else
+            echo "versionUpdated=0"
+          fi >> $GITHUB_OUTPUT
+          echo -n "keycloakVersion=" >> $GITHUB_OUTPUT
+          mvn -q help:evaluate -Dexpression=keycloak.version -DforceStdout 2> /dev/null | grep -E '^[0-9a-zA-Z.-]+$' >> $GITHUB_OUTPUT
 
       - id: check_branch
         name: Check if branch exists
         run: |
-          echo -n "::set-output name=commit::"
+          echo -n "commit=" >> $GITHUB_OUTPUT
           if [ '${{ steps.vars.outputs.versionUpdated }}' == '1' ]; then
             git ls-remote origin 'feature/keycloak-update-${{ steps.vars.outputs.keycloakVersion }}'
           else
             git rev-parse HEAD
-          fi
+          fi >> $GITHUB_OUTPUT
 
       - id: reset_repo
         name: Reset repository

--
Gitblit v1.9.1