fix: reduce permissions

supabase · Oct 8, 2024 · 5c6e517 · 5c6e517
1 parent b844cc7
commit 5c6e517
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml
@@ -16,10 +16,15 @@ on:
       - reopened
       - ready_for_review
 
+permissions: 
+  contents: read
+
 jobs:
   check-conventional-commits:
     runs-on: ubuntu-latest
-
+    if: github.actor != 'dependabot[bot]' # skip for dependabot PRs
+    env:
+      EVENT: ${{ toJSON(github.event) }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -30,13 +35,13 @@ jobs:
         run: |
           set -ex
           TMP_FILE=$(mktemp)
-          echo '${{ toJSON(github.event) }}' > "$TMP_FILE"
-          node .github/workflows/conventional-commits-lint.js pr "$TMP_FILE"
+          echo "${EVENT}" > "$TMP_FILE"
+          node .github/workflows/conventional-commits-lint.js pr "${TMP_FILE}"
 
       - if: ${{ github.event_name == 'push' }}
         run: |
           set -ex
 
           TMP_FILE=$(mktemp)
-          echo '${{ toJSON(github.event) }}' > "$TMP_FILE"
-          node .github/workflows/conventional-commits-lint.js push "$TMP_FILE"
+          echo "${EVENT}" > "$TMP_FILE"
+          node .github/workflows/conventional-commits-lint.js push "${TMP_FILE}"