diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml index b59be5f..410dc3c 100644 --- a/.github/workflows/boj-build.yml +++ b/.github/workflows/boj-build.yml @@ -1,19 +1,19 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later name: BoJ Server Build Trigger - on: push: - branches: [ main, master ] + branches: [main, master] workflow_dispatch: - jobs: trigger-boj: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Trigger BoJ Server (Casket/ssg-mcp) run: | # Send a secure trigger to boj-server to build this repository curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"} continue-on-error: true +permissions: + contents: read diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 612bbd1..830b0ad 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,7 +10,8 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -permissions: read-all +permissions: + contents: read name: "CodeQL Advanced" diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml index 94417d1..bffa3ff 100644 --- a/.github/workflows/guix-nix-policy.yml +++ b/.github/workflows/guix-nix-policy.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: Guix/Nix Package Policy on: [push, pull_request] diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml index f2bf132..1250a56 100644 --- a/.github/workflows/hypatia-scan.yml +++ b/.github/workflows/hypatia-scan.yml @@ -11,7 +11,8 @@ on: - cron: '0 0 * * 0' # Weekly on Sunday workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: scan: diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index de9dd92..bfef51f 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -8,7 +8,8 @@ on: - 'v*' workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: mirror-gitlab: diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml index 2d2783b..c6b6726 100644 --- a/.github/workflows/npm-bun-blocker.yml +++ b/.github/workflows/npm-bun-blocker.yml @@ -2,7 +2,8 @@ name: NPM/Bun Blocker on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 79b0ae2..720ed36 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: Code Quality on: [push, pull_request] diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml index 24ebdf7..e89406f 100644 --- a/.github/workflows/rsr-antipattern.yml +++ b/.github/workflows/rsr-antipattern.yml @@ -5,7 +5,8 @@ # Enforces: No TypeScript, No Go, No Python (except SaltStack), No npm # Allows: ReScript, Deno, WASM, Rust, OCaml, Haskell, Guile/Scheme -permissions: read-all +permissions: + contents: read name: RSR Anti-Pattern Check diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index 58b1f09..26322c9 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -9,7 +9,8 @@ on: - cron: '0 6 * * 1' # Weekly on Monday workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: scorecard: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 00c6a6d..cf4f92e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -6,7 +6,8 @@ on: schedule: - cron: '0 4 * * 0' -permissions: read-all +permissions: + contents: read jobs: analysis: diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index 051fecf..fd62c4f 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -7,7 +7,8 @@ on: push: branches: [main] -permissions: read-all +permissions: + contents: read jobs: trufflehog: diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml index 56a55a5..91ac34b 100644 --- a/.github/workflows/security-policy.yml +++ b/.github/workflows/security-policy.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: Security Policy on: [push, pull_request] diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml index 5c34a58..6a09ba2 100644 --- a/.github/workflows/ts-blocker.yml +++ b/.github/workflows/ts-blocker.yml @@ -2,7 +2,8 @@ name: TypeScript/JavaScript Blocker on: [push, pull_request] -permissions: read-all +permissions: + contents: read jobs: check: diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml index 9a4a866..f8c6b90 100644 --- a/.github/workflows/wellknown-enforcement.yml +++ b/.github/workflows/wellknown-enforcement.yml @@ -1,5 +1,6 @@ # SPDX-License-Identifier: PMPL-1.0-or-later -permissions: read-all +permissions: + contents: read name: Well-Known Standards (RFC 9116 + RSR) on: diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml index 94dd0b2..e97d211 100644 --- a/.github/workflows/workflow-linter.yml +++ b/.github/workflows/workflow-linter.yml @@ -10,7 +10,8 @@ on: paths: - '.github/workflows/**' -permissions: read-all +permissions: + contents: read jobs: lint-workflows: diff --git a/tests/fuzz/placeholder.txt b/tests/fuzz/placeholder.txt new file mode 100644 index 0000000..8621280 --- /dev/null +++ b/tests/fuzz/placeholder.txt @@ -0,0 +1 @@ +Scorecard requirement placeholder