Skip to content

Update 8hobbies/workflows digest to 35aaff6#262

Merged
renovate[bot] merged 1 commit intomasterfrom
renovate/all-digest
Oct 12, 2025
Merged

Update 8hobbies/workflows digest to 35aaff6#262
renovate[bot] merged 1 commit intomasterfrom
renovate/all-digest

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Oct 12, 2025

This PR contains the following updates:

Package Type Update Change
8hobbies/workflows action digest 9ce095e -> 35aaff6

Configuration

📅 Schedule: Branch creation - "on Sunday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) October 12, 2025 08:15
@renovate renovate Bot requested a review from xuhdev as a code owner October 12, 2025 08:15
github-advanced-security[bot]
github-advanced-security AI found potential problems Oct 12, 2025
View reviewed changes
Comment thread .github/workflows/lint.yml
jobs:
lint:
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@9ce095e975915c75b3fb9243d3a49dfce7fffe63
uses: 8hobbies/workflows/.github/workflows/npm-lint.yml@35aaff65a539af824d36a72aac42393a71092cc9

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 7 months ago

To fix the detected issue, you should add the permissions key to the workflow definition (.github/workflows/lint.yml) at the root level (above jobs), unless jobs require specific permissions. As the lint job appears to perform only linting, it is likely sufficient to set contents: read. Place the permissions: block immediately after the workflow name: and before on:, as recommended by GitHub best practices. No additional imports, definitions, or methods are needed; the only change is the YAML block addition.

Suggested changeset 1
.github/workflows/lint.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -13,6 +13,8 @@
 # limitations under the License.
 
 name: Lint
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -13,6 +13,8 @@
# limitations under the License.

name: Lint
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
Comment thread .github/workflows/publish-dry-run.yml
jobs:
run:
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@9ce095e975915c75b3fb9243d3a49dfce7fffe63
uses: 8hobbies/workflows/.github/workflows/npm-publish-dry-run.yml@35aaff65a539af824d36a72aac42393a71092cc9

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 7 months ago

To address this issue, you should add a permissions block to either the top level of .github/workflows/publish-dry-run.yml or to the specific job under jobs:. Since there is only a single job (run:), the recommended approach is to place the permissions key at the top level of the workflow file, just after the name: and before on:. This limits the permissions of GITHUB_TOKEN for the entire workflow unless overridden by a job. As a minimal starting point, use permissions: {} to fully restrict all default permissions. If your workflow requires specific permissions (for example, contents: read for fetching code), set only those that are necessary for the workflow to function. In this case, since the workflow delegates all functionality to a reusable workflow, it is safest to start with the most restrictive block {} and incrementally add needed permissions if jobs fail due to lack of access.

Suggested changeset 1
.github/workflows/publish-dry-run.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-dry-run.yml b/.github/workflows/publish-dry-run.yml
--- a/.github/workflows/publish-dry-run.yml
+++ b/.github/workflows/publish-dry-run.yml
@@ -13,6 +13,7 @@
 # limitations under the License.
 
 name: Publish Dry Run
+permissions: {}
 
 on:
   push:
EOF
@@ -13,6 +13,7 @@
# limitations under the License.

name: Publish Dry Run
permissions: {}

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
Comment thread .github/workflows/runtime.yml
jobs:
test:
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@9ce095e975915c75b3fb9243d3a49dfce7fffe63
uses: 8hobbies/workflows/.github/workflows/npm-runtime.yml@35aaff65a539af824d36a72aac42393a71092cc9

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 7 months ago

To fix this issue, we should explicitly add a permissions: block to the workflow file, .github/workflows/runtime.yml, either at the root (which then applies to all jobs) or for the specific job (in this case, the only job is test). Because this workflow only delegates to a reusable workflow (uses), and unless we know more about what specific permissions are required, we should set contents: read as the minimal safe default. If additional permissions (such as pull-requests: write) are required by the reusable workflow, those should also be listed, but starting with the minimal case is appropriate. The edit is to insert a permissions: block at the top level, immediately below name: Runtime.

Suggested changeset 1
.github/workflows/runtime.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/runtime.yml b/.github/workflows/runtime.yml
--- a/.github/workflows/runtime.yml
+++ b/.github/workflows/runtime.yml
@@ -13,6 +13,8 @@
 # limitations under the License.
 
 name: Runtime
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -13,6 +13,8 @@
# limitations under the License.

name: Runtime
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
@renovate renovate Bot merged commit b728a49 into master Oct 12, 2025
13 checks passed
@renovate renovate Bot deleted the renovate/all-digest branch October 12, 2025 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xuhdev xuhdev Awaiting requested review from xuhdev xuhdev is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@github-advanced-security