Fix the workflows #427
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,18 +9,6 @@ on: | |
|
|
||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
|
|
||
| build-client: | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,29 +1,24 @@ | ||
| name: auto-merge | ||
|
Contributor
There was a problem hiding this comment. Consider keeping the workflow name as 'dependabot-auto-merge' since it more specifically describes its primary purpose of handling Dependabot PRs. |
||
|
|
||
| on: pull_request | ||
|
Contributor
There was a problem hiding this comment. 🛑 Security Risk: Changing from Footnotes
|
||
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| auto-merge: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| if: github.event.pull_request.draft == false | ||
|
|
||
|
Contributor
There was a problem hiding this comment. The condition |
||
| steps: | ||
| - uses: actions/checkout@v5 | ||
|
|
||
| - name: Enable auto-merge for Pull Request | ||
| run: | | ||
| gh pr review --approve "$PR_URL" | ||
| gh pr merge --auto --squash "$PR_URL" | ||
| env: | ||
| PR_URL: ${{github.event.pull_request.html_url}} | ||
| GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | ||
|
Contributor
There was a problem hiding this comment. Consider retaining the Slack notification for failed auto-merges as it provides valuable monitoring capabilities for the automation process. |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛑 Security Risk: Removing the permissions block from the CI workflow removes the principle of least privilege. GitHub Actions workflows should explicitly define minimum required permissions1.
Footnotes
CWE-250: Execution with Unnecessary Privileges - https://cwe.mitre.org/data/definitions/250.html ↩