From 40d1a24aa0ca762e60493c74a91c76d3222413b2 Mon Sep 17 00:00:00 2001 From: Kevin van Zonneveld Date: Mon, 8 Jun 2026 19:52:58 +0200 Subject: [PATCH 1/3] Pin third-party GitHub Actions to SHAs --- .github/workflows/archive.yml | 4 ++-- .github/workflows/ghpages.yml | 4 ++-- .github/workflows/publish.yml | 4 ++-- .github/workflows/update.yml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/archive.yml b/.github/workflows/archive.yml index dd9429a..ada0d6e 100644 --- a/.github/workflows/archive.yml +++ b/.github/workflows/archive.yml @@ -23,7 +23,7 @@ jobs: # Note: No caching for this build! - name: "Update Archive" - uses: martinthomson/i-d-template@v1 + uses: martinthomson/i-d-template@d2ce969b54014edf5671856b6866866c258bf8f5 env: ARCHIVE_FULL: ${{ inputs.archive_full }} with: @@ -31,7 +31,7 @@ jobs: token: ${{ github.token }} - name: "Update GitHub Pages" - uses: martinthomson/i-d-template@v1 + uses: martinthomson/i-d-template@d2ce969b54014edf5671856b6866866c258bf8f5 with: make: gh-archive token: ${{ github.token }} diff --git a/.github/workflows/ghpages.yml b/.github/workflows/ghpages.yml index a1bf36e..fb85fc3 100644 --- a/.github/workflows/ghpages.yml +++ b/.github/workflows/ghpages.yml @@ -39,12 +39,12 @@ jobs: restore-keys: i-d- - name: "Build Drafts" - uses: martinthomson/i-d-template@v1 + uses: martinthomson/i-d-template@d2ce969b54014edf5671856b6866866c258bf8f5 with: token: ${{ github.token }} - name: "Update GitHub Pages" - uses: martinthomson/i-d-template@v1 + uses: martinthomson/i-d-template@d2ce969b54014edf5671856b6866866c258bf8f5 if: ${{ github.event_name == 'push' }} with: make: gh-pages diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 94d885f..0436846 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -40,12 +40,12 @@ jobs: restore-keys: i-d- - name: "Build Drafts" - uses: martinthomson/i-d-template@v1 + uses: martinthomson/i-d-template@d2ce969b54014edf5671856b6866866c258bf8f5 with: token: ${{ github.token }} - name: "Upload to Datatracker" - uses: martinthomson/i-d-template@v1 + uses: martinthomson/i-d-template@d2ce969b54014edf5671856b6866866c258bf8f5 with: make: upload env: diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml index 0f8d6b8..df80b91 100644 --- a/.github/workflows/update.yml +++ b/.github/workflows/update.yml @@ -27,7 +27,7 @@ jobs: uses: actions/checkout@v4 - name: "Update Generated Files" - uses: martinthomson/i-d-template@v1 + uses: martinthomson/i-d-template@d2ce969b54014edf5671856b6866866c258bf8f5 with: make: update-files token: ${{ github.token }} From 13259a1e5ccebfbb68f4ff42e6234c709aea4d9f Mon Sep 17 00:00:00 2001 From: Kevin van Zonneveld Date: Mon, 8 Jun 2026 20:01:08 +0200 Subject: [PATCH 2/3] Grant editor copy workflow pages write access --- .github/workflows/ghpages.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ghpages.yml b/.github/workflows/ghpages.yml index fb85fc3..841edeb 100644 --- a/.github/workflows/ghpages.yml +++ b/.github/workflows/ghpages.yml @@ -14,6 +14,9 @@ on: - LICENSE.md - .gitignore +permissions: + contents: write + jobs: build: name: "Update Editor's Copy" From 5613e9ae879f439d5368f9541ac1ba7f174e0c36 Mon Sep 17 00:00:00 2001 From: Kevin van Zonneveld Date: Mon, 8 Jun 2026 20:02:49 +0200 Subject: [PATCH 3/3] Limit editor copy publishing to main pushes --- .github/workflows/ghpages.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ghpages.yml b/.github/workflows/ghpages.yml index 841edeb..f80ba34 100644 --- a/.github/workflows/ghpages.yml +++ b/.github/workflows/ghpages.yml @@ -2,6 +2,8 @@ name: "Update Editor's Copy" on: push: + branches: + - main paths-ignore: - README.md - CONTRIBUTING.md