From 84615bf93e772306f7d472da58d57d260db845d8 Mon Sep 17 00:00:00 2001 From: Becky Smith Date: Wed, 4 Mar 2026 15:57:14 +0000 Subject: [PATCH 1/3] Restrict GITHUB_TOKEN permissions in workflows Ensure workflows have the minimum required permissions and silence the security alerts --- .github/workflows/check-auth-header.yaml | 2 ++ .github/workflows/tests.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/check-auth-header.yaml b/.github/workflows/check-auth-header.yaml index a75c672..205522e 100644 --- a/.github/workflows/check-auth-header.yaml +++ b/.github/workflows/check-auth-header.yaml @@ -4,6 +4,8 @@ on: # 09:00 UTC every day - cron: '0 9 * * *' workflow_dispatch: +permissions: + contents: read env: EXPECTED: 'realm="https://ghcr.io/token",service="ghcr.io",scope="repository:user/image:pull"' jobs: diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 4532383..380ad1e 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -3,6 +3,8 @@ on: pull_request: env: IMAGE_NAME: opensafely-proxy +permissions: + contents: read jobs: build: runs-on: ubuntu-latest From 0464022e3741834c89982279ec20517a5c853a4a Mon Sep 17 00:00:00 2001 From: Becky Smith Date: Wed, 4 Mar 2026 15:58:26 +0000 Subject: [PATCH 2/3] Use v6 of actions/checkout --- .github/workflows/build_and_publish.yaml | 2 +- .github/workflows/check-auth-header.yaml | 2 +- .github/workflows/tests.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_and_publish.yaml b/.github/workflows/build_and_publish.yaml index f03506b..5af9680 100644 --- a/.github/workflows/build_and_publish.yaml +++ b/.github/workflows/build_and_publish.yaml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@master + uses: actions/checkout@v6 - uses: extractions/setup-just@69d82fb0233557aec017ef13706851d0694e0f1d - name: Build image run: just build diff --git a/.github/workflows/check-auth-header.yaml b/.github/workflows/check-auth-header.yaml index 205522e..e81be24 100644 --- a/.github/workflows/check-auth-header.yaml +++ b/.github/workflows/check-auth-header.yaml @@ -13,6 +13,6 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@master + uses: actions/checkout@v6 - name: check run: python3 check-header.py diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 380ad1e..305778b 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@master + uses: actions/checkout@v6 - uses: extractions/setup-just@69d82fb0233557aec017ef13706851d0694e0f1d - name: Build image run: just build From 61631477596e3a9d890b64b1953e4da39d1fa1b6 Mon Sep 17 00:00:00 2001 From: Becky Smith Date: Wed, 4 Mar 2026 15:58:43 +0000 Subject: [PATCH 3/3] Dependabot config for github actions updates --- .github/dependabot.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1ae86b6..81db4dd 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,12 @@ updates: directory: "/" # Location of package manifests schedule: interval: "daily" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 + commit-message: + prefix: "chore: "