chore: pin dependencies and specify permissions in the pipeline by inigomarquinez · Pull Request #25 · jshttp/statuses (original) (raw)

Skip to content

Navigation Menu

Sign in

Appearance settings

• • AI CODE CREATION
    * GitHub CopilotWrite better code with AI
    * GitHub Copilot appDirect agents from issue to merge
    * MCP RegistryNewIntegrate external tools
  • DEVELOPER WORKFLOWS
    * ActionsAutomate any workflow
    * CodespacesInstant dev environments
    * IssuesPlan and track work
    * Code ReviewManage code changes
  • APPLICATION SECURITY
    * GitHub Advanced SecurityFind and fix vulnerabilities
    * Code securitySecure your code as you build
    * Secret protectionStop leaks before they start
  • EXPLORE
    * Why GitHub
    * Documentation
    * Blog
    * Changelog
    * Marketplace

View all features

• • BY COMPANY SIZE
    * Enterprises
    * Small and medium teams
    * Startups
    * Nonprofits
  • BY USE CASE
    * App Modernization
    * DevSecOps
    * DevOps
    * CI/CD
    * View all use cases
  • BY INDUSTRY
    * Healthcare
    * Financial services
    * Manufacturing
    * Government
    * View all industries

View all solutions

• • EXPLORE BY TOPIC
    * AI
    * Software Development
    * DevOps
    * Security
    * View all topics
  • EXPLORE BY TYPE
    * Customer stories
    * Events & webinars
    * Ebooks & reports
    * Business insights
    * GitHub Skills
  • SUPPORT & SERVICES
    * Documentation
    * Customer support
    * Community forum
    * Trust center
    * Partners

View all resources

• • COMMUNITY
    * GitHub SponsorsFund open source developers
  • PROGRAMS
    * Security Lab
    * Maintainer Community
    * Accelerator
    * GitHub Stars
    * Archive Program
  • REPOSITORIES
    * Topics
    * Trending
    * Collections
• • ENTERPRISE SOLUTIONS
    * Enterprise platformAI-powered developer platform
  • AVAILABLE ADD-ONS
    * GitHub Advanced SecurityEnterprise-grade security features
    * Copilot for BusinessEnterprise-grade AI features
    * Premium SupportEnterprise-grade 24/7 support
• Pricing

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Saved searches

Use saved searches to filter your results more quickly

Sign in

Sign up

Appearance settings

jshttp / statuses Public

• Notifications You must be signed in to change notification settings

• Fork30

• Star 285

• Code

• Issues

• Pull requests 8

• Actions

• Security and quality

• Insights

Additional navigation options

Merged

UlisesGascon

merged 2 commits into

jshttp:masterfrom

inigomarquinez:tools/improve-pipelines

Apr 30, 2024

ConversationCommits (2)ChecksFiles changed

Merged

chore: pin dependencies and specify permissions in the pipeline#25

UlisesGascon

merged 2 commits into

jshttp:masterfrom

inigomarquinez:tools/improve-pipelines

Conversation

inigomarquinez commented

Mar 14, 2024

•

edited

Loading

Copy link Copy Markdown

Contributor

Main Changes

This change includes the pinning for the GitHub Actions dependencies and the permissions definition for the pipeline.

Impact in the OSSF Scorecard

Context

Changes related

• OSSF Scorecard Documentation | Tokens permissions
• OSSF Scorecard Documentation | Pinned dependencies

Team discussion related

• Ref: Implementing OSSF Scorecard expressjs/security-wg#2
• Report: https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/github.com/jshttp/statuses/commit/454ceb6e0bfea4f889be244de2538df8afb4dc2a

[chore: pin dependencies and specify permissions in the pipeline](/jshttp/statuses/pull/25/commits/1bd281781fd09d631a265a2ab419799957022d4b "chore: pin dependencies and specify permissions in the pipeline")

[1bd2817](/jshttp/statuses/pull/25/commits/1bd281781fd09d631a265a2ab419799957022d4b)

inigomarquinez mentioned this pull request

Mar 14, 2024

chore: add dependabot#28

Merged

UlisesGascon approved these changes Apr 29, 2024

View reviewed changes

UlisesGascon left a comment

Copy link Copy Markdown

Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Can you solve the conflict, @inigomarquinez ?

[Merge branch 'master' into tools/improve-pipelines](/jshttp/statuses/pull/25/commits/eb66ae98f2deaccd124c85fff890c2fd25ae0ce6 "Merge branch 'master' into tools/improve-pipelines")

[eb66ae9](/jshttp/statuses/pull/25/commits/eb66ae98f2deaccd124c85fff890c2fd25ae0ce6)

inigomarquinez commented

Apr 30, 2024

Copy link Copy Markdown

Contributor Author

@UlisesGascon ,

I've solved the conflict.

UlisesGascon merged commit d8aaf89 into jshttp:master

Apr 30, 2024

inigomarquinez deleted the tools/improve-pipelines branch

May 5, 2024 14:57

UlisesGascon mentioned this pull request

Jun 6, 2025

Release: 2.0.2#40

Merged

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})

Sign up for free to join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

UlisesGascon UlisesGascon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants