Update .github/workflows/*.yml : YAML Lint, least-privilege permissions & actions versions
#279
+87
−76
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data-douser
added
enhancement
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request updates GitHub Actions workflow files to enhance security posture through explicit least-privilege permissions and attempts to modernize action dependencies. The key changes include adding permissions: contents: read to workflows lacking explicit permissions and upgrading several GitHub Actions to newer major versions (checkout@v6, upload-artifact@v6, download-artifact@v7). Additionally, the Node.js version for CDS compilation is updated from 18 to 20.
Key Changes
- Added explicit
permissions: contents: readto workflows to enforce least-privilege access - Upgraded actions/checkout from v5 to v6 across multiple workflows
- Upgraded actions/upload-artifact from v5 to v6 and actions/download-artifact from v6 to v7
- Updated Node.js version from 18 to 20 for CDS compilation step
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/update-codeql.yml |
Upgraded actions/checkout to v6 |
.github/workflows/run-codeql-unit-tests-javascript.yml |
Added permissions block, upgraded actions/checkout to v6 in multiple jobs, updated Node.js to v20, upgraded upload-artifact to v6 and download-artifact to v7 |
.github/workflows/codeql-ql.yml |
Added permissions block with contents: read |
.github/workflows/code_scanning.yml |
Added permissions block with contents: read, cleaned up trailing whitespace |
.github/workflows/cds-extractor-dist-bundle.yml |
Added permissions block, upgraded actions/checkout to v6, fixed indentation and formatting throughout the file |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of Changes
This pull request updates several GitHub Actions workflow files to enhance security and modernize dependencies. The main changes include adding explicit
permissionssettings for workflows and upgrading various GitHub Actions to their latest major versions. Additionally, the Node.js version used for CDS compilation is updated.Security and permissions improvements:
permissions: contents: readto all workflows to explicitly specify the minimum required permissions, improving security. [1] [2] [3] [4]Dependency and environment updates:
actions/checkoutfrom v5 to v6 in all relevant workflows for improved performance and support. [1] [2] [3] [4] [5]actions/upload-artifactfrom v5 to v6 andactions/download-artifactfrom v6 to v7 to ensure compatibility with the latest features and bug fixes. [1] [2]