diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f55afd4..e671e67 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,11 @@ updates: directory: "/" # Location of package manifests schedule: interval: "daily" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + groups: + actions: + patterns: + - "*" diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml index b59be5f..410dc3c 100644 --- a/.github/workflows/boj-build.yml +++ b/.github/workflows/boj-build.yml @@ -1,19 +1,19 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later name: BoJ Server Build Trigger - on: push: - branches: [ main, master ] + branches: [main, master] workflow_dispatch: - jobs: trigger-boj: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Trigger BoJ Server (Casket/ssg-mcp) run: | # Send a secure trigger to boj-server to build this repository curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"} continue-on-error: true +permissions: + contents: read diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0100124..90dbb26 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,7 +9,8 @@ on: schedule: - cron: '0 0 * * 0' -permissions: read-all +permissions: + contents: read jobs: analyze: diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml index 0b57402..6567249 100644 --- a/.github/workflows/guix-nix-policy.yml +++ b/.github/workflows/guix-nix-policy.yml @@ -2,7 +2,8 @@ name: Guix/Nix Package Policy on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml index 90fcb9a..b031847 100644 --- a/.github/workflows/hypatia-scan.yml +++ b/.github/workflows/hypatia-scan.yml @@ -11,7 +11,8 @@ on: - cron: '0 0 * * 0' # Weekly on Sunday workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: scan: diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index 94fcb80..3ffd629 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -7,7 +7,8 @@ on: branches: [main] workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: mirror-gitlab: diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml index 864dc25..0516702 100644 --- a/.github/workflows/npm-bun-blocker.yml +++ b/.github/workflows/npm-bun-blocker.yml @@ -2,7 +2,8 @@ name: NPM/Bun Blocker on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 362a67e..0c578bc 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -3,7 +3,8 @@ name: Code Quality on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: lint: diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml index d24d19a..7303e81 100644 --- a/.github/workflows/rsr-antipattern.yml +++ b/.github/workflows/rsr-antipattern.yml @@ -14,7 +14,8 @@ on: branches: [main, master, develop] -permissions: read-all +permissions: + contents: read jobs: antipattern-check: diff --git a/.github/workflows/rsr-validation.yml b/.github/workflows/rsr-validation.yml index ba64085..923c5f6 100644 --- a/.github/workflows/rsr-validation.yml +++ b/.github/workflows/rsr-validation.yml @@ -7,7 +7,8 @@ on: pull_request: branches: [ main ] -permissions: read-all +permissions: + contents: read jobs: validate: diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index 19a704d..99068e4 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -9,7 +9,8 @@ on: - cron: '0 6 * * 1' # Weekly on Monday workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: scorecard: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 68a67ec..3b6c243 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -7,7 +7,8 @@ on: - cron: '0 4 * * *' workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: analysis: diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index d573797..814f65a 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -7,7 +7,8 @@ on: push: branches: [main] -permissions: read-all +permissions: + contents: read jobs: trufflehog: diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml index 615acf7..ee9cffc 100644 --- a/.github/workflows/security-policy.yml +++ b/.github/workflows/security-policy.yml @@ -2,7 +2,8 @@ name: Security Policy on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 489f385..d5f42a3 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -9,7 +9,8 @@ on: schedule: - cron: '0 0 * * 1' -permissions: read-all +permissions: + contents: read jobs: scorecard: diff --git a/.github/workflows/trufflehog-terraform.yml b/.github/workflows/trufflehog-terraform.yml index 98d57d6..6b9471d 100644 --- a/.github/workflows/trufflehog-terraform.yml +++ b/.github/workflows/trufflehog-terraform.yml @@ -1,5 +1,7 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later name: Trufflehog Terraform Scan -permissions: read-all +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml index e8669fd..ac6338e 100644 --- a/.github/workflows/ts-blocker.yml +++ b/.github/workflows/ts-blocker.yml @@ -2,7 +2,8 @@ name: TypeScript/JavaScript Blocker on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml index 1d811e6..98f857b 100644 --- a/.github/workflows/wellknown-enforcement.yml +++ b/.github/workflows/wellknown-enforcement.yml @@ -15,7 +15,8 @@ on: workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: validate: diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml index 805b045..eb0a8ef 100644 --- a/.github/workflows/workflow-linter.yml +++ b/.github/workflows/workflow-linter.yml @@ -12,7 +12,8 @@ on: - '.github/workflows/**' workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: lint-workflows: @@ -53,7 +54,8 @@ jobs: fi done if [ $failed -eq 1 ]; then - echo "Add 'permissions: read-all' at workflow level" + echo "Add 'permissions: + contents: read' at workflow level" exit 1 fi echo "All workflows have permissions declared" @@ -63,7 +65,7 @@ jobs: echo "=== Checking Action Pinning ===" # Find any uses: lines that don't have @SHA format # Pattern: uses: owner/repo@<40-char-hex> - unpinned=$(grep -rn "uses:" .github/workflows/ | \ + unpinned=$(grep -rnE "^[[:space:]]+uses:" .github/workflows/ | \ grep -v "@[a-f0-9]\{40\}" | \ grep -v "uses: \./\|uses: docker://\|uses: actions/github-script" || true) diff --git a/tests/fuzz/placeholder.txt b/tests/fuzz/placeholder.txt new file mode 100644 index 0000000..8621280 --- /dev/null +++ b/tests/fuzz/placeholder.txt @@ -0,0 +1 @@ +Scorecard requirement placeholder