Skip to content

chore(ci): Maximize CI/CD values (Dependabot & Permissions) #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hyperpolymath merged 2 commits into from
Mar 20, 2026
Merged

chore(ci): Maximize CI/CD values (Dependabot & Permissions) #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
333ebd4
chore(ci): maximize ci/cd values via dependabot and permissions
hyperpolymath Mar 18, 2026
2b3dda0
fix(ci): Resolve workflow-linter self-matching and metadata issues
hyperpolymath Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
groups:
actions:
patterns:
- "*"
9 changes: 4 additions & 5 deletions .github/workflows/boj-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,18 @@
# SPDX-License-Identifier: PMPL-1.0-or-later
name: BoJ Server Build Trigger

on:
push:
branches: [ main, master ]
branches: [main, master]
workflow_dispatch:

jobs:
trigger-boj:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Trigger BoJ Server (Casket/ssg-mcp)
run: |
# Send a secure trigger to boj-server to build this repository
curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"}
continue-on-error: true
permissions: read-all
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Update this workflow to satisfy the repo's linter

Because this change touches .github/workflows/boj-build.yml, the Workflow Security Linter will run on the PR (.github/workflows/workflow-linter.yml triggers on changes under .github/workflows/** at lines 7-12) and it still fails this file: the linter requires an SPDX header (lines 27-42) and SHA-pinned actions (lines 61-78), but boj-build.yml still has neither. In practice this means the permissions-only change will introduce a red CI status until those two policy violations are fixed in the same file.

Useful? React with 👍 / 👎.

2 changes: 1 addition & 1 deletion .github/workflows/workflow-linter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ jobs:
echo "=== Checking Action Pinning ==="
# Find any uses: lines that don't have @SHA format
# Pattern: uses: owner/repo@<40-char-hex>
unpinned=$(grep -rn "uses:" .github/workflows/ | \
unpinned=$(grep -rnE "^[[:space:]]+uses:" .github/workflows/ | \
grep -v "@[a-f0-9]\{40\}" | \
grep -v "uses: \./\|uses: docker://\|uses: actions/github-script" || true)

Expand Down
Loading