etherpad-lite/.github
John McLear 3ccf0b1c04
ci(security): restrict GITHUB_TOKEN permissions in update-plugins workflow (#7557)
Adds an explicit `permissions: contents: read` block to update-plugins.yml.
Cross-repo work (cloning ether/ep_* repos, pushing updates, merging
Dependabot PRs) is authenticated via secrets.PLUGINS_PAT, so the default
GITHUB_TOKEN only needs read access for actions/checkout.

Addresses CodeQL code-scanning alert #115 ("Workflow does not contain
permissions"). Matches the pattern already used by the other workflows
under .github/workflows/.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 17:26:42 +01:00
..
ISSUE_TEMPLATE Fix bug_report.md bug template 2021-11-22 17:25:00 -05:00
workflows ci(security): restrict GITHUB_TOKEN permissions in update-plugins workflow (#7557) 2026-04-19 17:26:42 +01:00
dependabot.yml Bundle dev-dependency updates (#6268) 2024-03-25 12:38:34 +01:00
FUNDING.yml Create FUNDING.yml 2020-10-23 20:31:17 +01:00
PULL_REQUEST_TEMPLATE.md chore: Rename some occurences of etherpad-lite to etherpad (#7552) 2026-04-19 16:53:57 +02:00