wangbo/ComfyUI
1
0
Fork 0
mirror of https://github.com/comfyanonymous/ComfyUI.git synced 2026-06-01 20:07:37 +08:00
Code Issues Actions 14 Packages Projects Releases Wiki Activity

Pin reusable workflow to commit SHA + add explicit permissions

Browse Source 
Best-practice hardening for the caller of the reusable detector workflow:
- Replace @v1 tag with the immutable commit SHA 5d9602ee... (# v1 comment
  preserves human-readable version info). Satisfies pin-validation tools
  like pinact and zizmor.
- Add explicit minimum permissions (contents: read, pull-requests: read)
  at workflow level so the default permissive token scope is not granted.
This commit is contained in:
Luke Mino-Altherr 2026-05-27 19:00:04 -07:00
parent e3261c3e37
commit 668cb0748e
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/detect-unreviewed-merge.yml vendored
View File

@ -11,9 +11,13 @@ concurrency:
group: detect-unreviewed-merge-${{ github.sha }} group: detect-unreviewed-merge-${{ github.sha }}
cancel-in-progress: false cancel-in-progress: false
permissions:
contents: read
pull-requests: read
jobs: jobs:
detect: detect:
uses: Comfy-Org/github-workflows/.github/workflows/detect-unreviewed-merge.yml@v1 uses: Comfy-Org/github-workflows/.github/workflows/detect-unreviewed-merge.yml@5d9602ee861466a7873270cd6b2037ebdfdee9a3 # v1
with: with:
approval-mode: latest-per-reviewer approval-mode: latest-per-reviewer
secrets: secrets: