From 2e3913d327f04fd119fb727bc5ee35613282a45f Mon Sep 17 00:00:00 2001 From: Beka Westberg Date: Mon, 4 Apr 2022 15:40:50 -0700 Subject: [PATCH 1/3] chore: update renamings file for new release (#6063) --- scripts/migration/renamings.json5 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/migration/renamings.json5 b/scripts/migration/renamings.json5 index 2d456384d..2de068b49 100644 --- a/scripts/migration/renamings.json5 +++ b/scripts/migration/renamings.json5 @@ -1257,7 +1257,7 @@ }, ], - 'develop': [ + '8.0.0': [ { oldName: 'Blockly', exports: { @@ -1335,5 +1335,7 @@ newName: 'Blockly.dropDownDiv', newPath: 'Blockly.DropDownDiv', }, - ] + ], + + 'develop': [ ], } From e0d81ef03d005192746e9a9a985b3039ba82f30a Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 18 Apr 2022 10:59:51 -0500 Subject: [PATCH 2/3] chore: Set permissions for GitHub actions (#6077) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/build.yml | 3 +++ .github/workflows/check_clang_format.yml | 3 +++ .github/workflows/update_metadata.yml | 6 ++++++ 3 files changed, 12 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c7cdc1874..289542ece 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,9 @@ name: Node.js CI on: [pull_request] +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/check_clang_format.yml b/.github/workflows/check_clang_format.yml index 57a29fe3b..490dea26c 100644 --- a/.github/workflows/check_clang_format.yml +++ b/.github/workflows/check_clang_format.yml @@ -4,6 +4,9 @@ name: Check clang format # submitted branch. on: [pull_request] +permissions: + contents: read + jobs: clang-formatter: runs-on: ubuntu-latest diff --git a/.github/workflows/update_metadata.yml b/.github/workflows/update_metadata.yml index 82a36230f..3ca154057 100644 --- a/.github/workflows/update_metadata.yml +++ b/.github/workflows/update_metadata.yml @@ -5,8 +5,14 @@ name: Update Metadata on: [workflow_dispatch] +permissions: + contents: read + jobs: update-metadata: + permissions: + contents: write # for peter-evans/create-pull-request to create branch + pull-requests: write # for peter-evans/create-pull-request to create a PR runs-on: ubuntu-latest steps: From d2329f8cba661999cc7f03fcd6c0196770b05cdc Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 18 Apr 2022 11:00:08 -0500 Subject: [PATCH 3/3] chore: Included githubactions for dependabot (#6080) This should help with keeping the GitHub actions updated on new releases. This will also help with keeping it secure. Dependabot helps in keeping the supply chain secure https://docs.github.com/en/code-security/dependabot GitHub actions up to date https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/dependabot.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 52796d119..65f8104c4 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,3 +21,13 @@ updates: labels: - "PR: chore" - "PR: dependencies" + - package-ecosystem: "github-actions" # See documentation for possible values + directory: "/" + target-branch: "develop" + schedule: + interval: "weekly" + commit-message: + prefix: "chore(deps)" + labels: + - "PR: chore" + - "PR: dependencies"