diff options
author | Evgeny Vereshchagin <evvers@ya.ru> | 2021-11-11 01:56:02 +0000 |
---|---|---|
committer | Evgeny Vereshchagin <evvers@ya.ru> | 2021-11-11 10:19:06 +0000 |
commit | 5570313421a27bd8a7a7e04de975e64769df8cf8 (patch) | |
tree | 9df4e130db6f9bcf6a29ecb99ab3af61237c7694 /.github/dependabot.yml | |
parent | 33796123bccabdcc91ee9b87b5c042710bf50362 (diff) | |
download | systemd-5570313421a27bd8a7a7e04de975e64769df8cf8.tar.gz |
ci: pin labeler
Turns out GHActions where `pull_request_target` is used are capable
of pwning repositories: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
labeler doesn't check out the source code or build anything so
it's safe in its current form but to avoid surprises let's just pin
it to the latest version. It's annoying to manage dependencies like this
manually so additionally dependabot.yml is introduced to make it
easier to keep GHActions up to date more or less automatically:
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot
Diffstat (limited to '.github/dependabot.yml')
-rw-r--r-- | .github/dependabot.yml | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..123014908b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" |