mirror of
https://github.com/astral-sh/ruff-action.git
synced 2026-05-12 20:50:14 +02:00
William Woodruff
74b1866cee
This addresses a variety of findings, mostly around overly broad default permissions and credential sharing. I've also run [pinact](https://github.com/suzuki-shunsuke/pinact) to auto-hash-pin all action references -- Dependabot will still update these, but having them hash-pinned will seal off any undesirable tag/branch mutability 🙂 (99% of these findings were done automatically with `zizmor --fix=all`, followed by verifying the results. I haven't added a [zizmor](https://docs.zizmor.sh) workflow as part of this PR, but I'd be happy to if desired.) --------- Signed-off-by: William Woodruff <william@astral.sh>
40 lines
1.3 KiB
YAML
40 lines
1.3 KiB
YAML
name: "Update known checksums"
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: "0 4 * * *" # Run every day at 4am UTC
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
persist-credentials: false
|
|
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
|
|
with:
|
|
node-version: "20"
|
|
- name: Update known checksums
|
|
id: update-known-checksums
|
|
run:
|
|
node dist/update-known-checksums/index.js
|
|
src/download/checksum/known-checksums.ts ${{ secrets.GITHUB_TOKEN }}
|
|
- run: npm install && npm run all
|
|
- name: Create Pull Request
|
|
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
|
|
with:
|
|
commit-message: "chore: update known checksums"
|
|
title:
|
|
"chore: update known checksums for ${{
|
|
steps.update-known-checksums.outputs.latest-version }}"
|
|
body:
|
|
"chore: update known checksums for ${{
|
|
steps.update-known-checksums.outputs.latest-version }}"
|
|
base: main
|
|
labels: "automated-pr,update-known-checksums"
|
|
branch: update-known-checksums-pr
|
|
delete-branch: true
|