ci: update workflows by Fdawgs · Pull Request #59 · kibertoad/toad-cache

Fdawgs · 2025-03-12T19:07:27Z

Last PR, I promise!

This PR:

Removes Git credentials after checkout as a security precaution by setting persist-credentials to false. They are not used after the initial checkout, and this stops them from accidentally leaking through a script; see related GitHub security post and related actions/checkout issue
Declares the minimum permissions for the workflows to run at the workflow level, following principle of least privilege; see related GitHub security post
Set check-latest to true, so that the actions/setup-node will check it is using the latest minor or hotfix Node version and use that instead of its cached version, this stops an issue like with 22.5.0 that introduced a regression and actions were still using that instead of 22.5.1
Updates automerge job to check if the user triggering job is dependabot (same as what Fastify repos do)
Adds --ignore-scripts arg to npm install calls, preventing any potentially harmful lifecycle scripts that may have snuck in

ci: update workflows

88c7efa

gurgunday approved these changes Mar 23, 2025

View reviewed changes

kibertoad approved these changes Mar 23, 2025

View reviewed changes

kibertoad merged commit 0f1b25d into kibertoad:main Mar 23, 2025
3 checks passed

Fdawgs deleted the ci/updates branch March 23, 2025 15:47

Fdawgs mentioned this pull request Mar 25, 2025

ci: pin github actions to commit-hash #60

Merged

Provide feedback