diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..b00bfd0 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + groups: + actions: + patterns: + - "*" diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml index b59be5f..c99d1db 100644 --- a/.github/workflows/boj-build.yml +++ b/.github/workflows/boj-build.yml @@ -1,19 +1,18 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later name: BoJ Server Build Trigger - on: push: - branches: [ main, master ] + branches: [main, master] workflow_dispatch: - jobs: trigger-boj: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Trigger BoJ Server (Casket/ssg-mcp) run: | # Send a secure trigger to boj-server to build this repository curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"} continue-on-error: true +permissions: read-all diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml index 9bb4d39..325fcc4 100644 --- a/.github/workflows/workflow-linter.yml +++ b/.github/workflows/workflow-linter.yml @@ -63,7 +63,7 @@ jobs: echo "=== Checking Action Pinning ===" # Find any uses: lines that don't have @SHA format # Pattern: uses: owner/repo@<40-char-hex> - unpinned=$(grep -rn "uses:" .github/workflows/ | \ + unpinned=$(grep -rnE "^[[:space:]]+uses:" .github/workflows/ | \ grep -v "@[a-f0-9]\{40\}" | \ grep -v "uses: \./\|uses: docker://\|uses: actions/github-script" || true)