akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

fix: remediate axios supply chain compromise and harden CI workflow permissions

Browse Source
This commit is contained in:
GitHub Actions
2026-04-04 00:05:27 +00:00
parent 34d73ad6ed
commit 2b8ed06c3c
19 changed files with 217 additions and 188 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/auto-add-to-project.yml vendored
View File

@@ -8,6 +8,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.issue.number || github.event.pull_request.number }}
cancel-in-progress: false
permissions:
contents: read
jobs:
add-to-project:
runs-on: ubuntu-latest

3
.github/workflows/auto-changelog.yml vendored
View File

@@ -12,6 +12,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}
cancel-in-progress: true
permissions:
contents: write
jobs:
update-draft:
runs-on: ubuntu-latest

3
.github/workflows/auto-label-issues.yml vendored
View File

@@ -8,6 +8,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.issue.number }}
cancel-in-progress: true
permissions:
contents: read
jobs:
auto-label:
runs-on: ubuntu-latest

3
.github/workflows/cerberus-integration.yml vendored
View File

@@ -20,6 +20,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
cerberus-integration:
name: Cerberus Security Stack Integration

3
.github/workflows/create-labels.yml vendored
View File

@@ -8,6 +8,9 @@ concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
permissions:
contents: read
jobs:
create-labels:
runs-on: ubuntu-latest

3
.github/workflows/crowdsec-integration.yml vendored
View File

@@ -20,6 +20,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
crowdsec-integration:
name: CrowdSec Bouncer Integration

3
.github/workflows/docker-build.yml vendored
View File

@@ -33,6 +33,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}
cancel-in-progress: true
permissions:
contents: read
env:
GHCR_REGISTRY: ghcr.io
DOCKERHUB_REGISTRY: docker.io

3
.github/workflows/gh_cache_cleanup.yml vendored
View File

@@ -7,6 +7,9 @@ on:
required: true
type: string
permissions:
contents: read
jobs:
cleanup:
runs-on: ubuntu-latest

3
.github/workflows/history-rewrite-tests.yml vendored
View File

@@ -9,6 +9,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}
cancel-in-progress: true
permissions:
contents: read
jobs:
test:
runs-on: ubuntu-latest

3
.github/workflows/nightly-build.yml vendored
View File

@@ -22,6 +22,9 @@ env:
DOCKERHUB_REGISTRY: docker.io
IMAGE_NAME: wikid82/charon
permissions:
contents: read
jobs:
sync-development-to-nightly:
runs-on: ubuntu-latest

4
.github/workflows/pr-checklist.yml vendored
View File

@@ -12,6 +12,10 @@ concurrency:
group: ${{ github.workflow }}-${{ inputs.pr_number || github.event.pull_request.number }}
cancel-in-progress: true
permissions:
contents: read
pull-requests: write
jobs:
validate:
name: Validate history-rewrite checklist (conditional)

6
.github/workflows/quality-checks.yml vendored
View File

@@ -268,6 +268,12 @@ jobs:
cache: 'npm'
cache-dependency-path: frontend/package-lock.json
- name: Verify lockfile integrity and audit dependencies
working-directory: frontend
run: |
npm ci --ignore-scripts
npm audit --audit-level=critical
- name: Check if frontend was modified in PR
id: check-frontend
run: |

3
.github/workflows/rate-limit-integration.yml vendored
View File

@@ -20,6 +20,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
rate-limit-integration:
name: Rate Limiting Integration

3
.github/workflows/repo-health.yml vendored
View File

@@ -9,6 +9,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }}
cancel-in-progress: true
permissions:
contents: read
jobs:
repo_health:
name: Repo health

3
.github/workflows/security-pr.yml vendored
View File

@@ -22,6 +22,9 @@ concurrency:
group: security-pr-${{ github.event_name == 'workflow_run' && github.event.workflow_run.event || github.event_name }}-${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
security-scan:
name: Trivy Binary Scan

3
.github/workflows/security-weekly-rebuild.yml vendored
View File

@@ -19,6 +19,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
permissions:
contents: read
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository_owner }}/charon

3
.github/workflows/waf-integration.yml vendored
View File

@@ -20,6 +20,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
waf-integration:
name: Coraza WAF Integration