From 5d03c86e2615ba04a2dcb4ec2ed2cd659eecdb98 Mon Sep 17 00:00:00 2001 From: h0x0er <84621253+h0x0er@users.noreply.github.com> Date: Fri, 4 Feb 2022 10:42:13 +0530 Subject: [PATCH 1/2] Added token permission for deployments/azure-staticwebapp.yml --- deployments/azure-staticwebapp.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index 8e1faf7..5430f04 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -28,8 +28,14 @@ env: APP_ARTIFACT_LOCATION: "build" # location of client code build output AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app +permissions: + contents: read + jobs: build_and_deploy_job: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') runs-on: ubuntu-latest name: Build and Deploy Job @@ -52,6 +58,8 @@ jobs: ###### End of Repository/Build Configurations ###### close_pull_request_job: + permissions: + contents: none if: github.event_name == 'pull_request' && github.event.action == 'closed' runs-on: ubuntu-latest name: Close Pull Request Job From a3f4ca426faa51fdc07d753951ef8aa85bfb635a Mon Sep 17 00:00:00 2001 From: Federico Builes Date: Mon, 16 May 2022 13:44:34 -0700 Subject: [PATCH 2/2] Fixing typo in dependency-review-action. --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 0e72a00..8966511 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,6 +1,6 @@ # Dependency Review Action # -# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement