diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index 8bcd407..517668f 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -42,6 +42,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: actionlint uses: reviewdog/action-actionlint@v1.62.0 with: diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml index 748e9b3..4459865 100644 --- a/.github/workflows/cargo-deny.yml +++ b/.github/workflows/cargo-deny.yml @@ -20,6 +20,8 @@ jobs: cargo install cargo-deny - name: checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: check run: | cargo deny check diff --git a/.github/workflows/rust-wasm.yml b/.github/workflows/rust-wasm.yml index df0e528..2a6af40 100644 --- a/.github/workflows/rust-wasm.yml +++ b/.github/workflows/rust-wasm.yml @@ -32,13 +32,14 @@ jobs: - os: windows-2022 wasmpack_target_triple: x86_64-pc-windows-msvc wasmpack_name: wasm-pack.exe - # FIXME: windows does not recognize /usr/local/bin, causing build to be failed fail-fast: false runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Rust Cache uses: Swatinem/rust-cache@v2.7.7 with: diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 572e1ea..3dcd070 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -43,6 +43,8 @@ jobs: run: | echo '${{ toJSON(matrix) }}' - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Install compiler ${{ matrix.rustc_channel }} ( ${{ matrix.rustc_version }} ) run: | if [[ "${{ matrix.rustc_channel }}" == nightly ]]; then diff --git a/.github/workflows/todo-as-issue.yml b/.github/workflows/todo-as-issue.yml index b39b28c..20b0238 100644 --- a/.github/workflows/todo-as-issue.yml +++ b/.github/workflows/todo-as-issue.yml @@ -3,15 +3,19 @@ on: push: branches: - master -permissions: - contents: read - issues: write jobs: build: + permissions: + contents: read + issues: write runs-on: "ubuntu-24.04" steps: - - uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" # v4 - - name: "TODO to Issue" - uses: "alstr/todo-to-issue-action@v5" - with: - AUTO_ASSIGN: true + - + uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" # v4 + with: + persist-credentials: false + - + name: "TODO to Issue" + uses: "alstr/todo-to-issue-action@v5" + with: + AUTO_ASSIGN: true diff --git a/.github/workflows/validate-renovate-custom-managers.yml b/.github/workflows/validate-renovate-custom-managers.yml index 4ab8bef..90fe277 100644 --- a/.github/workflows/validate-renovate-custom-managers.yml +++ b/.github/workflows/validate-renovate-custom-managers.yml @@ -14,5 +14,7 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: check run: ./.github/workflows/shell_scripts/validate-renovate-custom-managers.sh diff --git a/.github/workflows/validate-renovate.yml b/.github/workflows/validate-renovate.yml index 0d6781e..dae5410 100644 --- a/.github/workflows/validate-renovate.yml +++ b/.github/workflows/validate-renovate.yml @@ -6,16 +6,17 @@ on: - 'renovate.json' - '.github/workflows/validate-renovate.yml' -permissions: - contents: read - pull-requests: write - jobs: lint: + permissions: + contents: read + pull-requests: write name: run renovate-config-validator runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: run lint and report env: URL: ${{ github.event.pull_request.html_url }}