mirror of
https://github.com/ether/etherpad-lite.git
synced 2026-07-17 16:47:05 +00:00
ci(security): restrict GITHUB_TOKEN permissions in update-plugins workflow (#7557)
Adds an explicit `permissions: contents: read` block to update-plugins.yml. Cross-repo work (cloning ether/ep_* repos, pushing updates, merging Dependabot PRs) is authenticated via secrets.PLUGINS_PAT, so the default GITHUB_TOKEN only needs read access for actions/checkout. Addresses CodeQL code-scanning alert #115 ("Workflow does not contain permissions"). Matches the pattern already used by the other workflows under .github/workflows/. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
f3f6829f8f
commit
3ccf0b1c04
1 changed files with 6 additions and 0 deletions
6
.github/workflows/update-plugins.yml
vendored
6
.github/workflows/update-plugins.yml
vendored
|
|
@ -5,6 +5,12 @@ on:
|
|||
- cron: '0 6 * * *' # Daily at 06:00 UTC
|
||||
workflow_dispatch: # Allow manual trigger
|
||||
|
||||
# The cross-repo work (cloning ether/ep_* repos, pushing updates, merging
|
||||
# Dependabot PRs) is authenticated via secrets.PLUGINS_PAT. The default
|
||||
# GITHUB_TOKEN only needs read access to this repo for actions/checkout.
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
update-plugins:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue