From 6ef20c151be457aad5f02a9a1844457f193c1b74 Mon Sep 17 00:00:00 2001 From: Mathieu Benoit Date: Sun, 1 Mar 2026 20:01:32 -0500 Subject: [PATCH 1/3] Revise permissions and update action versions with sha Updated action versions and permissions in the workflow. Signed-off-by: Mathieu Benoit --- .github/workflows/hugo.yaml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/.github/workflows/hugo.yaml b/.github/workflows/hugo.yaml index 9ef93c9..885b15c 100644 --- a/.github/workflows/hugo.yaml +++ b/.github/workflows/hugo.yaml @@ -11,26 +11,28 @@ on: permissions: contents: read - pages: write - id-token: write + concurrency: group: "pages" cancel-in-progress: false jobs: build: runs-on: ubuntu-latest + permissions: + pages: write + id-token: write steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set Node.js 20 - uses: actions/setup-node@v6 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: 20 - name: Install Node.js dependencies run: npm ci - name: Setup Pages id: pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: Build with Hugo run: | node_modules/.bin/hugo/hugo \ @@ -38,7 +40,7 @@ jobs: --environment production \ --baseURL "${{ steps.pages.outputs.base_url }}/" - name: Upload artifact - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 with: path: ./public deploy: @@ -46,8 +48,11 @@ jobs: name: github-pages url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest + permissions: + pages: write + id-token: write needs: build steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 From af475ce3afd66c5b2f7bbbf5062f997c23dc6386 Mon Sep 17 00:00:00 2001 From: Mathieu Benoit Date: Sun, 1 Mar 2026 20:02:38 -0500 Subject: [PATCH 2/3] Modify pull request workflow permissions and actions Updated permissions and action versions in workflow. Signed-off-by: Mathieu Benoit --- .github/workflows/pull-request.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index d68a3a5..554283c 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -8,12 +8,15 @@ on: - CONTRIBUTING.md - CODE_OF_CONDUCT.md +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: node-version: 20 - run: npm ci From 408a96e930f56438fdb572b5b9a19d90c6daa888 Mon Sep 17 00:00:00 2001 From: Mathieu Benoit Date: Sun, 1 Mar 2026 20:03:08 -0500 Subject: [PATCH 3/3] Update Dependabot auto-merge workflow permissions Change permissions for contents to read in workflow. Signed-off-by: Mathieu Benoit --- .github/workflows/dependabot-auto-merge.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml index 3f6a2a1..5c05b7f 100644 --- a/.github/workflows/dependabot-auto-merge.yaml +++ b/.github/workflows/dependabot-auto-merge.yaml @@ -1,11 +1,13 @@ name: Dependabot auto-merge on: pull_request permissions: - contents: write - pull-requests: write + contents: read jobs: dependabot-auto-merge: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write if: ${{ github.actor == 'dependabot[bot]' && !github.event.pull_request.auto_merge }} steps: - name: Approve a PR