mirror of
https://github.com/curl/curl.git
synced 2026-04-15 01:05:56 +08:00
e522f47986
The pedantic level is experimental. If it causes issues, we may just
disable it alongside the ignore comments.
Also:
- silence error:
```
INFO audit: zizmor: completed label.yml
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> label.yml:13:1
|
13 | 'on': [pull_request_target]
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ pull_request_target is almost always used insecurely
|
= note: audit confidence -> Medium
```
- fix pedantic warning:
```
INFO audit: zizmor: completed label.yml
warning[excessive-permissions]: overly broad permissions
--> label.yml:1:1
... |
24 | | with:
25 | | repo-token: '${{ secrets.GITHUB_TOKEN }}'
| |____________________________________________________- default permissions used due to no permissions: block
|
= note: audit confidence -> Medium
```
- silence `template-injection` false positives like:
```
- note: ${{ matrix.build.torture && 'test-torture' || 'test-ci' }} may expand into attacker-controllable code
- note: ${{ contains(matrix.build.install_steps, 'pytest') && 'caddy httpd vsftpd' || '' }} may expand into attacker-controllable code
```
It doesn't seem like these could be controlled by an attacker.
Let me know if I'm missing something.
Closes #17278
28 lines
745 B
YAML
28 lines
745 B
YAML
# Copyright (C) Daniel Fandrich, <dan@coneharvesters.com>, et al.
|
|
#
|
|
# SPDX-License-Identifier: curl
|
|
|
|
# This workflow will triage pull requests and apply a label based on the
|
|
# paths that are modified in the pull request.
|
|
#
|
|
# To use this workflow, you will need to set up a .github/labeler.yml
|
|
# file with configuration. For more information, see:
|
|
# https://github.com/actions/labeler
|
|
|
|
name: Labeler
|
|
'on': [pull_request_target] # zizmor: ignore[dangerous-triggers]
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
label:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
|
|
steps:
|
|
- uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
|
|
with:
|
|
repo-token: '${{ secrets.GITHUB_TOKEN }}'
|