From 40bc9523680f8b4263a1265bc03b10372657d42f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 8 Feb 2026 16:02:39 +0000 Subject: [PATCH 1/2] Bump the github-actions group with 8 updates Bumps the github-actions group with 8 updates: | Package | From | To | | --- | --- | --- | | [bemanproject/infra-workflows/.github/workflows/reusable-beman-submodule-check.yml](https://github.com/bemanproject/infra-workflows) | `1.2.1` | `1.3.0` | | [bemanproject/infra-workflows/.github/workflows/reusable-beman-preset-test.yml](https://github.com/bemanproject/infra-workflows) | `1.2.1` | `1.3.0` | | [bemanproject/infra-workflows/.github/workflows/reusable-beman-build-and-test.yml](https://github.com/bemanproject/infra-workflows) | `1.2.1` | `1.3.0` | | [bemanproject/infra-workflows/.github/workflows/reusable-beman-install-test.yml](https://github.com/bemanproject/infra-workflows) | `1.2.1` | `1.3.0` | | [bemanproject/infra-workflows/.github/workflows/reusable-beman-create-issue-when-fault.yml](https://github.com/bemanproject/infra-workflows) | `1.2.1` | `1.3.0` | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.14.1` | `2.14.2` | | [bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml](https://github.com/bemanproject/infra-workflows) | `1.2.1` | `1.3.0` | | [bemanproject/infra-workflows/.github/workflows/reusable-beman-update-pre-commit.yml](https://github.com/bemanproject/infra-workflows) | `1.2.1` | `1.3.0` | Updates `bemanproject/infra-workflows/.github/workflows/reusable-beman-submodule-check.yml` from 1.2.1 to 1.3.0 - [Commits](https://github.com/bemanproject/infra-workflows/compare/1.2.1...1.3.0) Updates `bemanproject/infra-workflows/.github/workflows/reusable-beman-preset-test.yml` from 1.2.1 to 1.3.0 - [Commits](https://github.com/bemanproject/infra-workflows/compare/1.2.1...1.3.0) Updates `bemanproject/infra-workflows/.github/workflows/reusable-beman-build-and-test.yml` from 1.2.1 to 1.3.0 - [Commits](https://github.com/bemanproject/infra-workflows/compare/1.2.1...1.3.0) Updates `bemanproject/infra-workflows/.github/workflows/reusable-beman-install-test.yml` from 1.2.1 to 1.3.0 - [Commits](https://github.com/bemanproject/infra-workflows/compare/1.2.1...1.3.0) Updates `bemanproject/infra-workflows/.github/workflows/reusable-beman-create-issue-when-fault.yml` from 1.2.1 to 1.3.0 - [Commits](https://github.com/bemanproject/infra-workflows/compare/1.2.1...1.3.0) Updates `step-security/harden-runner` from 2.14.1 to 2.14.2 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/e3f713f2d8f53843e71c69a996d56f51aa9adfb9...5ef0c079ce82195b2a36a210272d6b661572d83e) Updates `bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml` from 1.2.1 to 1.3.0 - [Commits](https://github.com/bemanproject/infra-workflows/compare/1.2.1...1.3.0) Updates `bemanproject/infra-workflows/.github/workflows/reusable-beman-update-pre-commit.yml` from 1.2.1 to 1.3.0 - [Commits](https://github.com/bemanproject/infra-workflows/compare/1.2.1...1.3.0) --- updated-dependencies: - dependency-name: bemanproject/infra-workflows/.github/workflows/reusable-beman-submodule-check.yml dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: bemanproject/infra-workflows/.github/workflows/reusable-beman-preset-test.yml dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: bemanproject/infra-workflows/.github/workflows/reusable-beman-build-and-test.yml dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: bemanproject/infra-workflows/.github/workflows/reusable-beman-install-test.yml dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: bemanproject/infra-workflows/.github/workflows/reusable-beman-create-issue-when-fault.yml dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: step-security/harden-runner dependency-version: 2.14.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: bemanproject/infra-workflows/.github/workflows/reusable-beman-update-pre-commit.yml dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/ci_tests.yml | 10 +++++----- .github/workflows/codeql.yml | 2 +- .github/workflows/doxygen-gh-pages.yml | 2 +- .github/workflows/ossf-scorecard-analysis.yml | 2 +- .github/workflows/pre-commit-check.yml | 2 +- .github/workflows/pre-commit-update.yml | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci_tests.yml b/.github/workflows/ci_tests.yml index 72e22a4..a34163c 100644 --- a/.github/workflows/ci_tests.yml +++ b/.github/workflows/ci_tests.yml @@ -13,10 +13,10 @@ on: jobs: beman-submodule-check: - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-submodule-check.yml@1.2.1 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-submodule-check.yml@1.3.0 preset-test: - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-preset-test.yml@1.2.1 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-preset-test.yml@1.3.0 with: matrix_config: > [ @@ -31,7 +31,7 @@ jobs: ] build-and-test: - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-build-and-test.yml@1.2.1 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-build-and-test.yml@1.3.0 with: matrix_config: > { @@ -135,7 +135,7 @@ jobs: } install-test: - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-install-test.yml@1.2.1 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-install-test.yml@1.3.0 with: image: ghcr.io/bemanproject/infra-containers-gcc:latest cxx_standard: 26 @@ -143,4 +143,4 @@ jobs: create-issue-when-fault: needs: [preset-test, build-and-test] if: failure() && github.event_name == 'schedule' - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-create-issue-when-fault.yml@1.2.1 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-create-issue-when-fault.yml@1.3.0 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8f47d22..6db793e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -59,7 +59,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: egress-policy: audit diff --git a/.github/workflows/doxygen-gh-pages.yml b/.github/workflows/doxygen-gh-pages.yml index 5c507b9..476c3d0 100644 --- a/.github/workflows/doxygen-gh-pages.yml +++ b/.github/workflows/doxygen-gh-pages.yml @@ -16,7 +16,7 @@ jobs: contents: write steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: egress-policy: audit diff --git a/.github/workflows/ossf-scorecard-analysis.yml b/.github/workflows/ossf-scorecard-analysis.yml index 89dbaab..feeb468 100644 --- a/.github/workflows/ossf-scorecard-analysis.yml +++ b/.github/workflows/ossf-scorecard-analysis.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: egress-policy: audit diff --git a/.github/workflows/pre-commit-check.yml b/.github/workflows/pre-commit-check.yml index 5749343..2f91103 100644 --- a/.github/workflows/pre-commit-check.yml +++ b/.github/workflows/pre-commit-check.yml @@ -10,4 +10,4 @@ on: jobs: pre-commit: - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml@1.2.1 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml@1.3.0 diff --git a/.github/workflows/pre-commit-update.yml b/.github/workflows/pre-commit-update.yml index 9261dbf..930b750 100644 --- a/.github/workflows/pre-commit-update.yml +++ b/.github/workflows/pre-commit-update.yml @@ -9,7 +9,7 @@ on: jobs: auto-update-pre-commit: - uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-update-pre-commit.yml@1.2.1 + uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-update-pre-commit.yml@1.3.0 secrets: APP_ID: ${{ secrets.AUTO_PR_BOT_APP_ID }} PRIVATE_KEY: ${{ secrets.AUTO_PR_BOT_PRIVATE_KEY }} From 05a828bd2b0a4156dc67c2d9b1d2b81fc5b675fb Mon Sep 17 00:00:00 2001 From: Steve Downey Date: Sun, 8 Feb 2026 15:50:32 -0500 Subject: [PATCH 2/2] Potential fix for code scanning alert no. 31: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/pre-commit-check.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pre-commit-check.yml b/.github/workflows/pre-commit-check.yml index 2f91103..ed4bbac 100644 --- a/.github/workflows/pre-commit-check.yml +++ b/.github/workflows/pre-commit-check.yml @@ -10,4 +10,6 @@ on: jobs: pre-commit: + permissions: + contents: read uses: bemanproject/infra-workflows/.github/workflows/reusable-beman-pre-commit.yml@1.3.0