chore(ci): Maximize CI/CD values (Dependabot & Permissions)#1
chore(ci): Maximize CI/CD values (Dependabot & Permissions)#1hyperpolymath merged 4 commits intomainfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c17a01d41d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - package-ecosystem: "github-actions" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "daily" |
There was a problem hiding this comment.
This turns on daily github-actions update PRs, but those PRs will touch .github/workflows/** and therefore trigger Workflow Security Linter. Its SHA-pinning check in .github/workflows/workflow-linter.yml:61-76 currently matches its own comment/script lines and the helper grep in .github/workflows/scorecard-enforcer.yml:65-72, so every Dependabot action-update PR will start out red until that linter is fixed or excluded.
Useful? React with 👍 / 👎.
.github/workflows/boj-build.yml
Outdated
| # Send a secure trigger to boj-server to build this repository | ||
| curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"} | ||
| continue-on-error: true | ||
| permissions: read-all |
There was a problem hiding this comment.
If Workflow Security Linter is a required check for workflow changes, this edit still leaves boj-build.yml unmergeable because .github/workflows/workflow-linter.yml:27-40 rejects any workflow whose first line is not # SPDX-License-Identifier:. I checked the current tree and boj-build.yml is still the only workflow that starts directly with name: instead of the mandated header.
Useful? React with 👍 / 👎.
|
1 participant
This automated PR updates your CI/CD configurations to maximize value and security.
github-actionsis monitored for updates.permissions: read-allto workflows missing explicit permissions.