diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bc63aca35..1bc0eb3ff 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,5 @@ updates: directory: '/' schedule: interval: 'monthly' + cooldown: + default-days: 7 diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index e236f78d2..37d9ef676 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -4,7 +4,7 @@ on: issues: types: - opened - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - opened diff --git a/.github/workflows/check-blog-links.yml b/.github/workflows/check-blog-links.yml index 55c9fa001..f5571bd32 100644 --- a/.github/workflows/check-blog-links.yml +++ b/.github/workflows/check-blog-links.yml @@ -7,6 +7,8 @@ on: paths: - blog/*.md +permissions: {} + jobs: check-blog-links: name: Check Blog Links @@ -15,6 +17,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 180b0f0e7..db3c0c4e1 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -14,6 +14,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag: v6.0.2 + with: + persist-credentials: false - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # tag: v6.2.0 with: diff --git a/.github/workflows/push-main.yml b/.github/workflows/push-main.yml index 0bb5c4040..f3a2a231b 100644 --- a/.github/workflows/push-main.yml +++ b/.github/workflows/push-main.yml @@ -11,14 +11,20 @@ on: concurrency: publish +permissions: {} + jobs: # Make a reusable workflow crowdin-upload: if: github.repository == 'electron/website' name: Upload to Crowdin runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag: v6.0.2 + with: + persist-credentials: false - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # tag: v6.2.0 with: node-version-file: '.nvmrc' @@ -45,6 +51,8 @@ jobs: run: ls -ln # This should be set up from earlier - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag: v6.0.2 + with: + persist-credentials: false - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # tag: v6.2.0 with: node-version-file: '.nvmrc' diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index 38e563480..8c8608863 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -30,6 +30,7 @@ jobs: creds: ${{ secrets.DOCS_UPDATER_GH_APP_CREDS }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag: v6.0.2 with: + persist-credentials: false token: ${{ steps.generate-token.outputs.token }} - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # tag: v6.2.0 with: diff --git a/.github/workflows/update-i18n-deploy.yml b/.github/workflows/update-i18n-deploy.yml index aea89040f..51c378f2d 100644 --- a/.github/workflows/update-i18n-deploy.yml +++ b/.github/workflows/update-i18n-deploy.yml @@ -16,6 +16,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag: v6.0.2 + with: + persist-credentials: false - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # tag: v6.2.0 with: