From 44cc5e08a77c1e02510417d093fa6ffcb549ef97 Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Fri, 2 Jan 2026 02:37:58 +0100 Subject: [PATCH 01/11] pin gha and add dependabot to update them --- .github/dependabot.yml | 20 +++++++++++++++++ .github/workflows/auto-test.yml | 24 ++++++++++----------- .github/workflows/close-incorrect-issue.yml | 4 ++-- .github/workflows/codeql-analysis.yml | 8 +++---- .github/workflows/conflict_labeler.yml | 2 +- .github/workflows/prevent-file-change.yml | 2 +- .github/workflows/stale-bot.yml | 4 ++-- .github/workflows/validate.yml | 8 +++---- 8 files changed, 46 insertions(+), 26 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..73702c5fc --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,20 @@ +# Dependabot configuration for Uptime Kuma +# See: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + # Enable version updates for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + # Group all GitHub Actions updates into a single PR + groups: + github-actions: + patterns: + - "*" + open-pull-requests-limit: 5 + commit-message: + prefix: "chore" + include: "scope" \ No newline at end of file diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml index f0dfdfa55..cf3393006 100644 --- a/.github/workflows/auto-test.yml +++ b/.github/workflows/auto-test.yml @@ -31,17 +31,17 @@ jobs: steps: - run: git config --global core.autocrlf false # Mainly for Windows - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Cache/Restore node_modules - uses: actions/cache@v4 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: node-modules-cache with: path: node_modules key: node-modules-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} - name: Use Node.js ${{ matrix.node }} - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: ${{ matrix.node }} - run: npm install @@ -65,17 +65,17 @@ jobs: steps: - run: git config --global core.autocrlf false # Mainly for Windows - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Cache/Restore node_modules - uses: actions/cache@v4 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: node-modules-cache with: path: node_modules key: node-modules-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} - name: Use Node.js ${{ matrix.node }} - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: ${{ matrix.node }} - run: npm install --production @@ -85,17 +85,17 @@ jobs: steps: - run: git config --global core.autocrlf false # Mainly for Windows - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Cache/Restore node_modules - uses: actions/cache@v4 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: node-modules-cache with: path: node_modules key: node-modules-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} - name: Use Node.js 20 - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: 20 - run: npm install @@ -108,17 +108,17 @@ jobs: PLAYWRIGHT_VERSION: ~1.39.0 steps: - run: git config --global core.autocrlf false # Mainly for Windows - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Cache/Restore node_modules - uses: actions/cache@v4 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 id: node-modules-cache with: path: node_modules key: node-modules-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }} - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: 22 - run: npm install diff --git a/.github/workflows/close-incorrect-issue.yml b/.github/workflows/close-incorrect-issue.yml index f618cd7c2..66266dd0a 100644 --- a/.github/workflows/close-incorrect-issue.yml +++ b/.github/workflows/close-incorrect-issue.yml @@ -14,10 +14,10 @@ jobs: node-version: [20] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: ${{ matrix.node-version }} - run: npm ci diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0e3b72c4b..a26befa0e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -26,18 +26,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/conflict_labeler.yml b/.github/workflows/conflict_labeler.yml index fdcc9c551..a2a4d9a42 100644 --- a/.github/workflows/conflict_labeler.yml +++ b/.github/workflows/conflict_labeler.yml @@ -19,7 +19,7 @@ jobs: pull-requests: write steps: - name: Apply label - uses: eps1lon/actions-label-merge-conflict@v3 + uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3 with: dirtyLabel: 'needs:resolve-merge-conflict' repoToken: '${{ secrets.GITHUB_TOKEN }}' diff --git a/.github/workflows/prevent-file-change.yml b/.github/workflows/prevent-file-change.yml index 0af3a6cbf..21e6cc16b 100644 --- a/.github/workflows/prevent-file-change.yml +++ b/.github/workflows/prevent-file-change.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Prevent file change - uses: xalvarez/prevent-file-change-action@v1 + uses: xalvarez/prevent-file-change-action@8ba6c9f0f3c6c73caea35ae4b13988047f9cd104 # v3.0.0 with: githubToken: ${{ secrets.GITHUB_TOKEN }} # Regex, /src/lang/*.json is not allowed to be changed, except for /src/lang/en.json diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml index 60eca6403..50c63f314 100644 --- a/.github/workflows/stale-bot.yml +++ b/.github/workflows/stale-bot.yml @@ -9,7 +9,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1 with: stale-issue-message: |- We are clearing up our old `help`-issues and your issue has been open for 60 days with no activity. @@ -21,7 +21,7 @@ jobs: exempt-issue-labels: 'News,Medium,High,discussion,bug,doc,feature-request' exempt-issue-assignees: 'louislam' operations-per-run: 200 - - uses: actions/stale@v9 + - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1 with: stale-issue-message: |- This issue was marked as `cannot-reproduce` by a maintainer. diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 4dff3689d..1fe5b3606 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -17,11 +17,11 @@ jobs: json-yaml-validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: json-yaml-validate id: json-yaml-validate - uses: GrantBirki/json-yaml-validate@v2.4.0 + uses: GrantBirki/json-yaml-validate@9bbaa8474e3af4e91f25eda8ac194fdc30564d96 # v4.0.0 with: comment: "true" # enable comment mode exclude_file: ".github/config/exclude.txt" # gitignore style file for exclusions @@ -30,9 +30,9 @@ jobs: validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Use Node.js 20 - uses: actions/setup-node@v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: 20 From 373ebe2df7c83c8d1aa2ba89ca4dbcadeac38e57 Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Fri, 2 Jan 2026 02:41:05 +0100 Subject: [PATCH 02/11] Update prevent-file-change.yml --- .github/workflows/prevent-file-change.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/prevent-file-change.yml b/.github/workflows/prevent-file-change.yml index 21e6cc16b..fcb47a659 100644 --- a/.github/workflows/prevent-file-change.yml +++ b/.github/workflows/prevent-file-change.yml @@ -1,11 +1,14 @@ name: prevent-file-change on: - pull_request: + pull_request_target: +permissions: {} jobs: check-file-changes: runs-on: ubuntu-latest + permissions: + pull-requests: read steps: - name: Prevent file change uses: xalvarez/prevent-file-change-action@8ba6c9f0f3c6c73caea35ae4b13988047f9cd104 # v3.0.0 From 3846333ffbb98f51f7c4dd29d991b4cccac2cd56 Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Fri, 2 Jan 2026 02:48:31 +0100 Subject: [PATCH 03/11] Update .github/dependabot.yml --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 73702c5fc..70efa7782 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,4 +17,4 @@ updates: open-pull-requests-limit: 5 commit-message: prefix: "chore" - include: "scope" \ No newline at end of file + include: "scope" From ba26a319425a176ab6ef0cf250dd8daa489b0893 Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Fri, 2 Jan 2026 02:49:26 +0100 Subject: [PATCH 04/11] add a cooldown --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 70efa7782..90eb809ab 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,3 +18,5 @@ updates: commit-message: prefix: "chore" include: "scope" + cooldown: + default-days: 7 From 77f52e4d47492a23b25c95a6b969b502db549e43 Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Fri, 2 Jan 2026 02:51:43 +0100 Subject: [PATCH 05/11] don't persist credentials in CI --- .github/workflows/auto-test.yml | 4 ++++ .github/workflows/close-incorrect-issue.yml | 1 + .github/workflows/codeql-analysis.yml | 4 ++-- .github/workflows/validate.yml | 2 ++ 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml index cf3393006..48496acf8 100644 --- a/.github/workflows/auto-test.yml +++ b/.github/workflows/auto-test.yml @@ -32,6 +32,7 @@ jobs: steps: - run: git config --global core.autocrlf false # Mainly for Windows - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: Cache/Restore node_modules uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 @@ -66,6 +67,7 @@ jobs: steps: - run: git config --global core.autocrlf false # Mainly for Windows - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: Cache/Restore node_modules uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 @@ -86,6 +88,7 @@ jobs: steps: - run: git config --global core.autocrlf false # Mainly for Windows - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: Cache/Restore node_modules uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 @@ -109,6 +112,7 @@ jobs: steps: - run: git config --global core.autocrlf false # Mainly for Windows - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: Cache/Restore node_modules uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 diff --git a/.github/workflows/close-incorrect-issue.yml b/.github/workflows/close-incorrect-issue.yml index 66266dd0a..8c50345cc 100644 --- a/.github/workflows/close-incorrect-issue.yml +++ b/.github/workflows/close-incorrect-issue.yml @@ -15,6 +15,7 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a26befa0e..aa0b3c860 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -25,8 +25,8 @@ jobs: language: [ 'go', 'javascript-typescript' ] steps: - - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 1fe5b3606..e1d760b52 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -18,6 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: json-yaml-validate id: json-yaml-validate @@ -31,6 +32,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: { persist-credentials: false } - name: Use Node.js 20 uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: From 1a5b9894961adb8f133e3b5761ba593663912e54 Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Fri, 2 Jan 2026 02:55:14 +0100 Subject: [PATCH 06/11] tighten permissions for stalebot --- .github/workflows/stale-bot.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml index 50c63f314..8cb8dd55d 100644 --- a/.github/workflows/stale-bot.yml +++ b/.github/workflows/stale-bot.yml @@ -4,10 +4,14 @@ on: schedule: - cron: '0 */6 * * *' #Run every 6 hours +permissions: {} jobs: stale: runs-on: ubuntu-latest + permissions: + actions: write + issues: write steps: - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1 with: @@ -18,7 +22,7 @@ jobs: days-before-close: 7 days-before-pr-stale: -1 days-before-pr-close: -1 - exempt-issue-labels: 'News,Medium,High,discussion,bug,doc,feature-request' + exempt-issue-labels: 'News,discussion,bug,doc,feature-request' exempt-issue-assignees: 'louislam' operations-per-run: 200 - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1 From c37d019f436289c93a3482f8ec03efc5ea6cd6b6 Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Fri, 2 Jan 2026 02:58:07 +0100 Subject: [PATCH 07/11] add more permission blocks --- .github/workflows/auto-test.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml index 48496acf8..0a154cc74 100644 --- a/.github/workflows/auto-test.yml +++ b/.github/workflows/auto-test.yml @@ -84,6 +84,8 @@ jobs: check-linters: runs-on: ubuntu-latest + permissions: + contents: read steps: - run: git config --global core.autocrlf false # Mainly for Windows @@ -107,6 +109,8 @@ jobs: e2e-test: needs: [ check-linters ] runs-on: ARM64 + permissions: + contents: read env: PLAYWRIGHT_VERSION: ~1.39.0 steps: From 7141d16a3331b825b4be3639a66360cb543aab70 Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Fri, 2 Jan 2026 02:59:20 +0100 Subject: [PATCH 08/11] add more permissions --- .github/workflows/auto-test.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml index 0a154cc74..c88a5d695 100644 --- a/.github/workflows/auto-test.yml +++ b/.github/workflows/auto-test.yml @@ -12,12 +12,15 @@ on: branches: [ master, 1.23.X ] paths-ignore: - '*.md' +permissions: {} jobs: auto-test: needs: [ e2e-test ] runs-on: ${{ matrix.os }} timeout-minutes: 15 + permissions: + contents: read strategy: matrix: @@ -57,6 +60,8 @@ jobs: needs: [ e2e-test ] runs-on: ${{ matrix.os }} timeout-minutes: 15 + permissions: + contents: read if: ${{ github.repository == 'louislam/uptime-kuma' }} strategy: matrix: From a603b8e7d3317f89df7c78ed108540f20ffd82e9 Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Fri, 2 Jan 2026 03:01:35 +0100 Subject: [PATCH 09/11] more permissions --- .github/workflows/validate.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index e1d760b52..3da0f9060 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -8,14 +8,14 @@ on: - master - 1.23.X workflow_dispatch: - -permissions: - contents: read - pull-requests: write # enable write permissions for pull request comments +permissions: {} jobs: json-yaml-validate: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write # enable write permissions for pull request comments steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: { persist-credentials: false } @@ -30,6 +30,8 @@ jobs: # General validations validate: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: { persist-credentials: false } From a5a20ac075aa12280d5db937dca9e36f9ea5b03a Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Fri, 2 Jan 2026 03:07:34 +0100 Subject: [PATCH 10/11] fix a few more CI issues --- .github/workflows/close-incorrect-issue.yml | 8 +++++++- .github/workflows/conflict_labeler.yml | 7 ++++++- .github/workflows/prevent-file-change.yml | 7 ++++++- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/.github/workflows/close-incorrect-issue.yml b/.github/workflows/close-incorrect-issue.yml index 8c50345cc..aa7113ed7 100644 --- a/.github/workflows/close-incorrect-issue.yml +++ b/.github/workflows/close-incorrect-issue.yml @@ -3,10 +3,13 @@ name: Close Incorrect Issue on: issues: types: [opened] +permissions: {} jobs: close-incorrect-issue: runs-on: ${{ matrix.os }} + permissions: + issues: write strategy: matrix: @@ -22,4 +25,7 @@ jobs: with: node-version: ${{ matrix.node-version }} - run: npm ci - - run: node extra/close-incorrect-issue.js ${{ secrets.GITHUB_TOKEN }} ${{ github.event.issue.number }} ${{ github.event.issue.user.login }} + - name: Close incorrect issue + run: node extra/close-incorrect-issue.js ${{ secrets.GITHUB_TOKEN }} ${{ github.event.issue.number }} "$ISSUE_USER_LOGIN" + env: + ISSUE_USER_LOGIN: ${{ github.event.issue.user.login }} diff --git a/.github/workflows/conflict_labeler.yml b/.github/workflows/conflict_labeler.yml index a2a4d9a42..65634d11e 100644 --- a/.github/workflows/conflict_labeler.yml +++ b/.github/workflows/conflict_labeler.yml @@ -1,6 +1,11 @@ name: Merge Conflict Labeler -on: +# pull_request_target is safe here because: +# 1. Only uses a pinned trusted action (by SHA) +# 2. Has minimal permissions (contents: read, pull-requests: write) +# 3. Doesn't checkout or execute any untrusted code from PRs +# 4. Only adds/removes labels based on merge conflict status +on: # zizmor: ignore[dangerous-triggers] push: branches: - master diff --git a/.github/workflows/prevent-file-change.yml b/.github/workflows/prevent-file-change.yml index fcb47a659..95f099759 100644 --- a/.github/workflows/prevent-file-change.yml +++ b/.github/workflows/prevent-file-change.yml @@ -1,6 +1,11 @@ name: prevent-file-change -on: +# pull_request_target is safe here because: +# 1. Only uses a pinned trusted action (by SHA) +# 2. Has minimal permissions (pull-requests: read) +# 3. Doesn't checkout or execute any untrusted code from PRs +# 4. Only validates that language files (except en.json) aren't modified +on: # zizmor: ignore[dangerous-triggers] pull_request_target: permissions: {} From 289fee40bbac6fb70adc5ed50a89def4a6e4ae21 Mon Sep 17 00:00:00 2001 From: Frank Elsinga Date: Fri, 2 Jan 2026 03:29:23 +0100 Subject: [PATCH 11/11] Apply suggestions from code review --- .github/workflows/prevent-file-change.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/workflows/prevent-file-change.yml b/.github/workflows/prevent-file-change.yml index 95f099759..3c48dec1b 100644 --- a/.github/workflows/prevent-file-change.yml +++ b/.github/workflows/prevent-file-change.yml @@ -1,12 +1,7 @@ name: prevent-file-change -# pull_request_target is safe here because: -# 1. Only uses a pinned trusted action (by SHA) -# 2. Has minimal permissions (pull-requests: read) -# 3. Doesn't checkout or execute any untrusted code from PRs -# 4. Only validates that language files (except en.json) aren't modified -on: # zizmor: ignore[dangerous-triggers] - pull_request_target: +on: + pull_request: permissions: {} jobs: @@ -16,7 +11,7 @@ jobs: pull-requests: read steps: - name: Prevent file change - uses: xalvarez/prevent-file-change-action@8ba6c9f0f3c6c73caea35ae4b13988047f9cd104 # v3.0.0 + uses: xalvarez/prevent-file-change-action@004d9f17c2e4a7afa037cda5f38dc55a5e9c9c06 # v1.9.1 with: githubToken: ${{ secrets.GITHUB_TOKEN }} # Regex, /src/lang/*.json is not allowed to be changed, except for /src/lang/en.json