Merge pull request #549 from crazy-max/zizmor-fixes

ci: restrict update-dist GitHub App token scope
2026-05-22 05:56:20 +08:00 · 2026-05-21 14:58:05 +02:00 · 2026-05-21 14:27:36 +02:00
2 changed files with 4 additions and 2 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -35,12 +35,12 @@ jobs:
          node-version: ${{ env.NODE_VERSION }}
      -
        name: Initialize CodeQL
-        uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          languages: javascript-typescript
          build-mode: none
      -
        name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          category: "/language:javascript-typescript"
--- a/.github/workflows/update-dist.yml
+++ b/.github/workflows/update-dist.yml
@@ -26,6 +26,8 @@ jobs:
          app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
          private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
          owner: docker
+          repositories: setup-buildx-action
+          permission-contents: write
      -
        name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Author	SHA1	Message	Date
CrazyMax	fe05060e96	Merge pull request #549 from crazy-max/zizmor-fixes Some checks failed ci / windows-error (push) Waiting to run Details ci / main () (push) Successful in 10s Details ci / main (cloud:latest) (push) Successful in 13s Details ci / main (lab:latest) (push) Successful in 12s Details ci / main (cloud:v0.11.2-desktop.2) (push) Failing after 9s Details ci / main (latest) (push) Successful in 11s Details ci / error (push) Failing after 17s Details ci / multi (push) Successful in 18s Details ci / use (false) (push) Successful in 13s Details ci / use (true) (push) Successful in 13s Details ci / driver (image=moby/buildkit:latest) (push) Successful in 10s Details ci / main (v0.4.1) (push) Successful in 29s Details ci / docker-driver (push) Successful in 10s Details ci / debug (push) Successful in 28s Details ci / endpoint (push) Failing after 10s Details ci / driver (image=moby/buildkit:master network=host ) (push) Successful in 15s Details ci / buildkitd-config (push) Successful in 15s Details ci / buildkitd-config-inline (push) Successful in 13s Details ci / build-ref (cb185f095fd3d9444e0aa605d3789e9e05f2a1e7) (push) Failing after 16s Details ci / with-qemu (v0.9.1, arm64,riscv64,arm) (push) Failing after 25s Details ci / with-qemu (v0.9.1, all) (push) Failing after 25s Details ci / with-qemu (, all) (push) Successful in 29s Details ci / with-qemu (, arm64,riscv64,arm) (push) Successful in 30s Details ci / build-ref (refs/pull/731/head) (push) Failing after 17s Details ci / build-ref (master) (push) Successful in 27s Details ci / build-ref (refs/tags/v0.5.1) (push) Failing after 16s Details ci / standalone-cmd (push) Successful in 15s Details ci / docker-context (push) Successful in 15s Details ci / standalone-action (push) Successful in 21s Details ci / append (push) Successful in 25s Details ci / cleanup (false) (push) Successful in 20s Details ci / cleanup (true) (push) Successful in 17s Details ci / k3s (latest) (push) Failing after 16s Details ci / platforms (push) Successful in 31s Details ci / cache-binary (false) (push) Failing after 11s Details ci / cache-binary (true) (push) Failing after 10s Details zizmor / zizmor (push) Failing after 1s Details ci / k3s (v0.10.5) (push) Failing after 16s Details ci / k3s (v0.11.0) (push) Failing after 16s Details ci / keep-state-error (push) Successful in 11s Details ci / keep-state (push) Successful in 15s Details validate / prepare (push) Successful in 12s Details validate / validate (push) Successful in 21s Details test / test (push) Successful in 49s Details codeql / analyze (push) Failing after 1m35s Details ci: restrict update-dist GitHub App token scope	2026-05-21 14:58:05 +02:00
CrazyMax	d717e33d65	ci: restrict update-dist GitHub App token scope Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-05-21 14:27:36 +02:00