ci: harden GitHub Actions workflows with least-privilege permissions#15772
Open
FredKSchott wants to merge 1 commit intomainfrom
Open
ci: harden GitHub Actions workflows with least-privilege permissions#15772FredKSchott wants to merge 1 commit intomainfrom
FredKSchott wants to merge 1 commit intomainfrom
Conversation
…and secure credential handling
|
matthewp
approved these changes
Mar 5, 2026
ematipico
reviewed
Mar 5, 2026
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| - name: Send a POST request to Netlify to rebuild preview.astro.new | ||
| run: 'curl -X POST -d {} ${{ env.BUILD_HOOK }}' | ||
| run: 'curl -X POST -d {} "$BUILD_HOOK"' |
Member
There was a problem hiding this comment.
What are we changing here? I think this isn't mentioned in the PR description
| OVSX_TOKEN: ${{ secrets.OVSX_TOKEN }} | ||
| run: | | ||
| npx ovsx publish -p ${{ secrets.OVSX_TOKEN }} --target win32-x64 win32-arm64 linux-x64 linux-arm64 linux-armhf darwin-x64 darwin-arm64 alpine-x64 alpine-arm64 | ||
| npx ovsx publish -p "$OVSX_TOKEN" --target win32-x64 win32-arm64 linux-x64 linux-arm64 linux-armhf darwin-x64 darwin-arm64 alpine-x64 alpine-arm64 |
Member
There was a problem hiding this comment.
This. I didn't know it was possible, is there some GitHub reference about it?
Comment on lines
+120
to
+125
| DISCORD_MESSAGE: ${{ steps.message.outputs.DISCORD_MESSAGE }} | ||
| run: | | ||
| jq -n --arg content "$DISCORD_MESSAGE" '{content: $content}' | \ | ||
| curl -X POST "$DISCORD_WEBHOOK" \ | ||
| -H "Content-Type: application/json" \ | ||
| -d @- |
Member
There was a problem hiding this comment.
Can we move this change to another PR? We don't know if this change will work
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
actions/labelerto commit SHA and add explicit permissions blockactions/labelersecrets: inheritwith explicit secret passing informat.ymlworkflowcheck.yml,cleanup-cache.yml,scripts.yml,test-hosts.yml)actions: write,checks: write, andstatuses: writepermissions from workflowspersist-credentials: falsetodiff-dependencies.ymlcheckout stepVSCE_TOKEN,OVSX_TOKEN, and Netlify webhookcurlcall for better supply chain managementTesting
No functional changes to workflow behavior. All changes follow GitHub Actions security best practices for:
Docs
No docs changes needed - these are internal CI/CD workflow improvements.