mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2026-05-05 04:06:37 +02:00
Code Issues Projects Releases Wiki Activity

ci(security): restrict GITHUB_TOKEN permissions in update-plugins workflow (#7557)

Browse Source 
Adds an explicit `permissions: contents: read` block to update-plugins.yml.
Cross-repo work (cloning ether/ep_* repos, pushing updates, merging
Dependabot PRs) is authenticated via secrets.PLUGINS_PAT, so the default
GITHUB_TOKEN only needs read access for actions/checkout.

Addresses CodeQL code-scanning alert #115 ("Workflow does not contain
permissions"). Matches the pattern already used by the other workflows
under .github/workflows/.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
John McLear 2026-04-19 17:26:42 +01:00 committed by GitHub
parent f3f6829f8f
commit 3ccf0b1c04
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/update-plugins.yml vendored
View File

@ -5,6 +5,12 @@ on:
- cron: '0 6 * * *' # Daily at 06:00 UTC
workflow_dispatch: # Allow manual trigger
# The cross-repo work (cloning ether/ep_* repos, pushing updates, merging
# Dependabot PRs) is authenticated via secrets.PLUGINS_PAT. The default
# GITHUB_TOKEN only needs read access to this repo for actions/checkout.
permissions:
contents: read
jobs:
update-plugins:
runs-on: ubuntu-latest