### Setup Node.js GitHub Action Configuration Source: https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/README.md Example configuration for the actions/setup-node Action, showing GITHUB_TOKEN as an Action input and minimal permissions for rate-limiting. ```yaml name: 'Setup Node.js environment' github-token: action-input: input: token is-default: true permissions: # Used to pull node distributions from node-versions. Metadata permissions is present by default ``` -------------------------------- ### Close Issue GitHub Action Configuration and Workflow Example Source: https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/README.md Example configuration for peter-evans/close-issue Action and a corresponding GitHub workflow demonstrating automatic permission setting. ```yaml github-token: action-input: input: token is-default: true permissions: issues: write issues-reason: to close issues ``` ```yaml jobs: closeissue: permissions: issues: write # for peter-evans/close-issue@v1 to close issues runs-on: ubuntu-latest steps: - name: Close Issue uses: peter-evans/close-issue@v1 with: issue-number: 1 comment: Auto-closing issue ``` -------------------------------- ### Example for peter-evans/close-issue GitHub Action Source: https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/README.md An example action-security.yml for the peter-evans/close-issue action, showing GitHub token as a default input and required permissions. ```yaml github-token: action-input: input: token is-default: true permissions: issues: write issues-reason: to close issues ``` -------------------------------- ### Super-Linter GitHub Action Configuration Source: https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/README.md Example configuration for the github/super-linter Action, specifying the GITHUB_TOKEN as an environment variable and detailing required permissions. ```yaml name: 'Super-Linter' github-token: environment-variable-name: GITHUB_TOKEN permissions: statuses: write statuses-reason: to mark status of each linter run ``` -------------------------------- ### Action uses GitHub token as environment variable Source: https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/README.md Example of an action-security.yml file where the GitHub token is expected as an environment variable. ```yaml name: Delete tag and release github-token: environment-variable-name: GITHUB_TOKEN ``` -------------------------------- ### Action does not use GitHub token Source: https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/README.md Example of an action-security.yml file for an action that does not use the GitHub token. ```yaml name: 'Stelligent cfn_nag' # stelligent/cfn_nag # GITHUB_TOKEN not used ``` -------------------------------- ### Action uses GitHub token as action input (default) with permissions Source: https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/README.md Example of an action-security.yml file specifying GitHub token as a default action input with required permissions and reasons. ```yaml name: 'Create or Update Comment' github-token: action-input: input: token is-default: true permissions: issues: write issues-reason: to create or update comment pull-requests: write pull-requests-reason: to create or update comment ``` -------------------------------- ### Action uses GitHub token as action input (not default) Source: https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/README.md Example of an action-security.yml file where the GitHub token is expected as an action input and is not the default value. ```yaml name: 'Edit Release' github-token: action-input: input: token is-default: false ``` -------------------------------- ### Workflow Details Source: https://github.com/step-security/secure-repo/blob/main/Automate-PR/README.md Provide details for the workflow, such as the topic, minimum stars, and total PRs to be secured. ```yaml topic : ${topic relevant} min_star : ${minimum number of stars} total_pr : ${total number of workflows to be secured} ``` -------------------------------- ### Automate PR Action Usage Source: https://github.com/step-security/secure-repo/blob/main/Automate-PR/README.md This snippet should be added to your workflow's job steps to integrate the Automate PR action. ```yaml steps: - name: Automate PR uses: Devils-Knight/Automate-PR@master with: github-token: ${{secrets.GITHUB_TOKEN }} issue-id: ${{ github.event.issue.number}} ``` -------------------------------- ### KBAnalysis Workflow Step Source: https://github.com/step-security/secure-repo/blob/main/kbanalysis/README.md This snippet shows how to integrate the KBAnalysis action into a GitHub Actions workflow. It requires read access to contents and write access to issues. ```yaml steps: - name: KBAnalysis uses: h0x0er/kbanalysis@master with: github-token: ${{secrets.GITHUB_TOKEN }} issue-id: ${{ github.event.issue.number}} ``` -------------------------------- ### Secure All Workflows for a Specified Repo Source: https://github.com/step-security/secure-repo/blob/main/Automate-PR/README.md This snippet secures all workflows for a given repository. If some workflows fail due to missing KBs, they can be restarted after adding the missing KBs and re-adding the 'Automate' label to the issue. ```yaml fix-repo name : ${owner}/${repo} ``` -------------------------------- ### action-security.yml for dessant/lock-threads Source: https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/README.md This YAML configuration defines the security permissions for the `dessant/lock-threads` GitHub Action. It specifies write permissions for issues and pull requests, with conditional logic based on the action's inputs. ```yaml github-token: action-input: input: github-token is-default: true permissions: issues: write issues-if: "${{ !contains(with, 'process-only') || with['process-only'] == 'issues' }}" issues-reason: to lock issues pull-requests: write pull-requests-if: "${{ !contains(with, 'process-only') || with['process-only'] == 'prs' }}" pull-requests-reason: to lock PRs ``` -------------------------------- ### Workflow Trigger Condition Source: https://github.com/step-security/secure-repo/blob/main/Automate-PR/README.md Add this snippet to your job to trigger the workflow when an issue is created with the 'Automate' label. ```yaml if: github.event.label.name == 'Automate' ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.