From b844cc79993a0c84e1dfc1b70f5061c1326f5f43 Mon Sep 17 00:00:00 2001
From: Etienne Stalmans <etienne@supabase.io>
Date: Wed, 25 Sep 2024 17:09:31 +0200
Subject: [PATCH 1/2] chore: update workflow check-conventional-commits

Updates the workflow to deal with the fact that ``` in the github.event
leading to code execution
---
 .github/workflows/conventional-commits-lint.js |  2 +-
 .github/workflows/conventional-commits.yml     | 13 ++++++-------
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/conventional-commits-lint.js b/.github/workflows/conventional-commits-lint.js
index da9b388b6..8eb4e451e 100644
--- a/.github/workflows/conventional-commits-lint.js
+++ b/.github/workflows/conventional-commits-lint.js
@@ -16,7 +16,7 @@ const ALLOWED_CONVENTIONAL_COMMIT_PREFIXES = [
 ];
 
 const object = process.argv[2];
-const payload = JSON.parse(fs.readFileSync(process.stdin.fd, "utf-8"));
+const payload = JSON.parse(fs.readFileSync(process.argv[3], "utf-8"));
 
 let validate = [];
 
diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml
index f91c9b079..555687ffc 100644
--- a/.github/workflows/conventional-commits.yml
+++ b/.github/workflows/conventional-commits.yml
@@ -29,15 +29,14 @@ jobs:
       - if: ${{ github.event_name == 'pull_request_target' }}
         run: |
           set -ex
-
-          node .github/workflows/conventional-commits-lint.js pr <<EOF
-          ${{ toJSON(github.event) }}
-          EOF
+          TMP_FILE=$(mktemp)
+          echo '${{ toJSON(github.event) }}' > "$TMP_FILE"
+          node .github/workflows/conventional-commits-lint.js pr "$TMP_FILE"
 
       - if: ${{ github.event_name == 'push' }}
         run: |
           set -ex
 
-          node .github/workflows/conventional-commits-lint.js push <<EOF
-          ${{ toJSON(github.event) }}
-          EOF
+          TMP_FILE=$(mktemp)
+          echo '${{ toJSON(github.event) }}' > "$TMP_FILE"
+          node .github/workflows/conventional-commits-lint.js push "$TMP_FILE"

From 5c6e51791b5f903cf6b04a0fb695f34d8e0ab792 Mon Sep 17 00:00:00 2001
From: Etienne Stalmans <etienne@supabase.io>
Date: Wed, 25 Sep 2024 17:28:46 +0200
Subject: [PATCH 2/2] fix: reduce permissions

---
 .github/workflows/conventional-commits.yml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml
index 555687ffc..eeab86733 100644
--- a/.github/workflows/conventional-commits.yml
+++ b/.github/workflows/conventional-commits.yml
@@ -16,10 +16,15 @@ on:
       - reopened
       - ready_for_review
 
+permissions: 
+  contents: read
+
 jobs:
   check-conventional-commits:
     runs-on: ubuntu-latest
-
+    if: github.actor != 'dependabot[bot]' # skip for dependabot PRs
+    env:
+      EVENT: ${{ toJSON(github.event) }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -30,13 +35,13 @@ jobs:
         run: |
           set -ex
           TMP_FILE=$(mktemp)
-          echo '${{ toJSON(github.event) }}' > "$TMP_FILE"
-          node .github/workflows/conventional-commits-lint.js pr "$TMP_FILE"
+          echo "${EVENT}" > "$TMP_FILE"
+          node .github/workflows/conventional-commits-lint.js pr "${TMP_FILE}"
 
       - if: ${{ github.event_name == 'push' }}
         run: |
           set -ex
 
           TMP_FILE=$(mktemp)
-          echo '${{ toJSON(github.event) }}' > "$TMP_FILE"
-          node .github/workflows/conventional-commits-lint.js push "$TMP_FILE"
+          echo "${EVENT}" > "$TMP_FILE"
+          node .github/workflows/conventional-commits-lint.js push "${TMP_FILE}"