chore: pin workflow actions + tighten permissions

2026-02-09 05:19:32 +08:00 · 2026-01-31 06:22:42 +01:00
parent 0b95efff27
commit 85dd070dea
2 changed files with 12 additions and 10 deletions
--- a/.github/workflows/auto-response.yml
+++ b/.github/workflows/auto-response.yml
@@ -6,21 +6,22 @@ on:
  pull_request_target:
    types: [labeled]

-permissions:
-  issues: write
-  pull-requests: write
+permissions: {}

 jobs:
  auto-response:
+    permissions:
+      issues: write
+      pull-requests: write
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
        id: app-token
        with:
          app-id: "2729701"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - name: Handle labeled items
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          script: |
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -4,20 +4,21 @@ on:
  pull_request_target:
    types: [opened, synchronize, reopened]

-permissions:
-  contents: read
-  pull-requests: write
+permissions: {}

 jobs:
  label:
+    permissions:
+      contents: read
+      pull-requests: write
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
        id: app-token
        with:
          app-id: "2729701"
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
        with:
          configuration-path: .github/labeler.yml
          repo-token: ${{ steps.app-token.outputs.token }}