public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
62,065 Commits 655 Branches 650 Tags
f2f1663dba8a5f6884df19bebd2dbe61c831d8d5
Commit Graph

12 Commits

Author SHA1 Message Date
Roberto Jiménez Sánchez 9b3b6fcdb2 Security: Fix actor spoofing vulnerability in Dependabot workflow (#109519) 
Replace github.actor with github.event.pull_request.user.login to prevent
actor context spoofing in pull requests from forks. This ensures only
genuine Dependabot PRs can trigger the workspace update workflow.

Fixes zizmor security finding with Medium confidence level.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Claude <noreply@anthropic.com>
 2025-08-12 12:40:03 +00:00
dependabot[bot] 41df2e9d26 Bump actions/setup-go from 4.2.1 to 5.5.0 (#108286) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-07-31 13:27:36 +01:00
Mariell Hoversholm c92ff0ca75 Actions: Introduce actionlint (#105224) 2025-05-13 08:23:59 +02:00
Kevin Minehart 2436b4e097 CI: move workflows/actions to actions (#104711) 
* move workflows/actions to actions

* rerun actions

* fix setup-go v5

* unpinned unnecessary pins

* update CODEOWONERS

* update CODEOWONERS

* remove remove-milestone from codeowners

* remove bad key
 2025-04-29 14:24:55 -05:00
Kevin Minehart 97d10b5095 CI: remove unused worklow; use GITHUB_TOKEN where possible (#104657) 
* remove unused worklow; use GITHUB_TOKEN where possible

* pin usages of checkout and setup-go

* Fix zizmor errors

* add zizmor.yml

* fix `changelog.yml`

* fix `core-plugins-build-and-release.yml`

* fix `release-comms.yml`

* update release-pr.yml and run-e2e-suite.yml

* Fix errors in files outside of .github/workflows

* Remove path filter on zizmor.yml

---------

Co-authored-by: Sven Grossmann <svennergr@gmail.com>
Co-authored-by: joshhunt <josh.hunt@grafana.com>
 2025-04-29 10:09:23 -05:00
Todd Treece 16f85585ff Chore: Switch to github actions bot in go workspace action (#98490) 2025-01-03 22:29:57 +02:00
Todd Treece 5f5c3f0531 Chore: Add id-token:write permission to go workspace action (#98489) 2025-01-03 21:56:19 +02:00
Todd Treece f10bf8338e Chore: Prevent forks from running go workspace update action (#98488) 2025-01-03 21:33:30 +02:00
Todd Treece 228ac25ff4 Chore: Use github app for dependabot go workspace workflow (#98464) 2025-01-03 13:52:52 -05:00
Todd Treece ae7cb6866d Chore: Update git user for depedabot action (#98073) 2024-12-17 06:31:45 -05:00
Todd Treece 7bb1b352e1 CI: Use grot for dependabot go workspace commits (#96136) 2024-11-08 18:26:26 +02:00
Todd Treece 0b06dca472 CI: Add Dependabot go workspace action (#96064) 2024-11-07 20:14:04 -05:00