mirror of
https://github.com/systemd/systemd
synced 2024-10-06 16:21:34 +00:00
ci: pin labeler
Turns out GHActions where `pull_request_target` is used are capable of pwning repositories: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ labeler doesn't check out the source code or build anything so it's safe in its current form but to avoid surprises let's just pin it to the latest version. It's annoying to manage dependencies like this manually so additionally dependabot.yml is introduced to make it easier to keep GHActions up to date more or less automatically: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot
This commit is contained in:
Evgeny Vereshchagin
parent
33796123bc
commit
5570313421
6
.github/dependabot.yml
vendored
Normal file
6
.github/dependabot.yml
vendored
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: "github-actions"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
2
.github/workflows/labeler.yml
vendored
2
.github/workflows/labeler.yml
vendored
|
|
@ -11,7 +11,7 @@ jobs:
|
|||
triage:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/labeler@main
|
||||
- uses: actions/labeler@69da01b8e0929f147b8943611bee75ee4175a49e
|
||||
with:
|
||||
repo-token: "${{ secrets.GITHUB_TOKEN }}"
|
||||
configuration-path: .github/labeler.yml
|
||||
|
|
|
|||
Loading…
Reference in a new issue