Merge pull request #2533 from Ludy87/token_permissions

[Security] Token permissions
2025-10-25 11:17:28 +02:00 · 2024-12-21 23:03:10 +00:00 · 2024-12-21 23:03:10 +00:00 · b86eac20ea
commit b86eac20ea
parent 76924ccd2f 7ccb9db9f9
3 changed files with 75 additions and 72 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -6,16 +6,13 @@ on:
  pull_request:
    branches: ["main"]
-permissions:
+permissions: read-all
  contents: read
 jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    strategy:
--- a/.github/workflows/check_properties.yml
+++ b/.github/workflows/check_properties.yml
@ -1,21 +1,17 @@
-name: Check Properties Files
+name: Check Properties Files on PR
 on:
  pull_request_target:
    types: [opened, synchronize, reopened]
    paths:
      - "src/main/resources/messages_*.properties"
-  push:
+
-    branches: ["main"]
+permissions: read-all
    paths:
      - "src/main/resources/messages_en_GB.properties"
 jobs:
  check-files:
    if: github.event_name == 'pull_request_target'
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
@ -164,64 +160,3 @@ jobs:
        run: |
          echo "Failing the job because errors were detected."
          exit 1
  update-translations-main:
    if: github.event_name == 'push'
    permissions:
      contents: write
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
        with:
          egress-policy: audit
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Set up Python
        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
        with:
          python-version: "3.x"
      - name: Run Python script to check files
        id: run-check
        run: |
          echo "Running Python script to check files..."
          python .github/scripts/check_language_properties.py \
            --reference-file src/main/resources/messages_en_GB.properties \
            --branch main
      - name: Set up git config
        run: |
          git config --global user.name "github-actions[bot]"
          git config --global user.email "github-actions[bot]@users.noreply.github.com"
      - name: Add translation keys
        run: |
          git add src/main/resources/messages_*.properties
          git diff --staged --quiet || echo "CHANGES_DETECTED=true" >> $GITHUB_ENV
      - name: Create Pull Request
        id: cpr
        if: env.CHANGES_DETECTED == 'true'
        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: "Update translation files"
          committer: GitHub Action <action@github.com>
          author: GitHub Action <action@github.com>
          signoff: true
          branch: update_translation_files
          title: "Update translation files"
          add-paths: |
            src/main/resources/messages_*.properties
          body: |
            Auto-generated by [create-pull-request][1]
            [1]: https://github.com/peter-evans/create-pull-request
          labels: Translation
          draft: false
          delete-branch: true
          sign-commits: true
--- a/.github/workflows/update-translations.yml
+++ b/.github/workflows/update-translations.yml
@ -0,0 +1,71 @@
 name: Update Translations
 on:
  push:
    branches: ["main"]
    paths:
      - "src/main/resources/messages_en_GB.properties"
 permissions: read-all
 jobs:
  update-translations-main:
    if: github.event_name == 'push'
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
        with:
          egress-policy: audit
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Set up Python
        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
        with:
          python-version: "3.x"
      - name: Run Python script to check files
        id: run-check
        run: |
          echo "Running Python script to check files..."
          python .github/scripts/check_language_properties.py \
            --reference-file src/main/resources/messages_en_GB.properties \
            --branch main
      - name: Set up git config
        run: |
          git config --global user.name "github-actions[bot]"
          git config --global user.email "github-actions[bot]@users.noreply.github.com"
      - name: Add translation keys
        run: |
          git add src/main/resources/messages_*.properties
          git diff --staged --quiet || echo "CHANGES_DETECTED=true" >> $GITHUB_ENV
      - name: Create Pull Request
        id: cpr
        if: env.CHANGES_DETECTED == 'true'
        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: "Update translation files"
          committer: GitHub Action <action@github.com>
          author: GitHub Action <action@github.com>
          signoff: true
          branch: update_translation_files
          title: "Update translation files"
          add-paths: |
            src/main/resources/messages_*.properties
          body: |
            Auto-generated by [create-pull-request][1]
            [1]: https://github.com/peter-evans/create-pull-request
          labels: Translation
          draft: false
          delete-branch: true
          sign-commits: true