From 72c7534610a2bf914265139134f74e2adb6af4dc Mon Sep 17 00:00:00 2001 From: Sam Gammon Date: Wed, 18 Dec 2024 18:23:28 -0800 Subject: [PATCH] fix: scorecards attributes with workflows (#530) Relates-to: ossf/scorecard#2489 Signed-off-by: Sam Gammon --- .gitattributes | 4 ---- .gitattributes-release | 32 +++++++++++++++++++++++++++++++ .github/workflows/deploy.docs.yml | 8 +++++--- 3 files changed, 37 insertions(+), 7 deletions(-) create mode 100644 .gitattributes-release diff --git a/.gitattributes b/.gitattributes index a9aa84b..fee4faf 100644 --- a/.gitattributes +++ b/.gitattributes @@ -6,10 +6,6 @@ local.bazelrc.inert export-ignore .aspect/bazelrc/ export-ignore .bazelci/ export-ignore .bcr/ export-ignore -.github/*.md export-ignore -.github/*.yml export-ignore -.github/codeql export-ignore -.github/workflows export-ignore .husky/ export-ignore docs/ export-ignore tools/ export-ignore diff --git a/.gitattributes-release b/.gitattributes-release new file mode 100644 index 0000000..78e260d --- /dev/null +++ b/.gitattributes-release @@ -0,0 +1,32 @@ +README.md export-ignore +commitlint.config.js export-ignore +pnpm-lock.yaml export-ignore +pom.xml export-ignore +local.bazelrc.inert export-ignore +.aspect/bazelrc/ export-ignore +.bazelci/ export-ignore +.bcr/ export-ignore +.github/ export-ignore +.husky/ export-ignore +docs/ export-ignore +tools/ export-ignore +.bazelignore export-ignore +.bazelproject export-ignore +.bazelrc export-ignore +.bazelversion export-ignore +.gitignore export-ignore +.pre-commit-config.yaml export-ignore +.prettierignore export-ignore +.gitattributes export-ignore +.prettierrc export-ignore +.prettierrc.json export-ignore +go.mod export-ignore +go.sum export-ignore +Makefile export-ignore +package.json export-ignore +example/ export-ignore +version.bazelrc export-ignore +maven_install.json linguist-generated=true +internal/graalvm_bindist_map.bzl linguist-generated=true +*/MODULE.bazel.lock linguist-generated=true +MODULE.bazel.lock linguist-generated=true diff --git a/.github/workflows/deploy.docs.yml b/.github/workflows/deploy.docs.yml index 03269c4..66a03cc 100644 --- a/.github/workflows/deploy.docs.yml +++ b/.github/workflows/deploy.docs.yml @@ -12,9 +12,6 @@ name: Docs # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages permissions: contents: read - pages: write - id-token: write - deployments: write # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. @@ -27,6 +24,11 @@ jobs: name: "Build: Docs" continue-on-error: true runs-on: ubuntu-latest + permissions: + contents: read + pages: write + id-token: write + deployments: write steps: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2