fix: complete v0.9 release behavior #34
Annotations
1 error, 4 warnings, and 7 notices
|
risky-pull-request-target:
samples/bad/release.yml#L4
pull_request_target is used with a high-risk pattern. Suggestion%3A Avoid checking out or running pull request code with pull_request_target%2C especially when secrets or write permissions are available.
|
|
missing-timeout:
samples/bad/release.yml#L10
Job 'release' does not define timeout-minutes. Suggestion%3A Add a timeout-minutes value that reflects the expected maximum runtime for this job.
|
|
mutable-action-reference:
samples/bad/build.yml#L13
Action 'acme/example-action@main' uses a mutable reference. Suggestion%3A Use a version tag or%2C preferably for stricter security%2C pin the action to a full commit SHA.
|
|
missing-timeout:
samples/bad/build.yml#L7
Job 'build' does not define timeout-minutes. Suggestion%3A Add a timeout-minutes value that reflects the expected maximum runtime for this job.
|
|
missing-permissions:
samples/bad/build.yml#L1
Workflow does not define a top-level permissions block. Suggestion%3A Add a top-level permissions block and grant only the permissions required by the workflow.
|
|
missing-concurrency:
samples/bad/release.yml#L1
Workflow does not define concurrency. Suggestion%3A Consider adding concurrency with a group based on github.workflow and github.ref%2C and cancel-in-progress for CI workflows.
|
|
duplicate-workflow-name:
samples/bad/release.yml#L1
Workflow name 'CI' is used by multiple workflow files. Suggestion%3A Use unique workflow names so GitHub UI entries and status checks are easier to understand.
|
|
setup-node-cache-missing:
samples/bad/build.yml#L10
actions/setup-node is used without dependency caching. Suggestion%3A Add a cache value such as npm%2C yarn%2C or pnpm when the workflow installs Node.js dependencies.
|
|
missing-concurrency:
samples/bad/build.yml#L1
Workflow does not define concurrency. Suggestion%3A Consider adding concurrency with a group based on github.workflow and github.ref%2C and cancel-in-progress for CI workflows.
|
|
duplicate-workflow-name:
samples/bad/build.yml#L1
Workflow name 'CI' is used by multiple workflow files. Suggestion%3A Use unique workflow names so GitHub UI entries and status checks are easier to understand.
|
|
broad-push-trigger:
samples/bad/build.yml#L4
Workflow runs on every push without branch%2C tag%2C or path filters. Suggestion%3A Add branch%2C tag%2C or path filters if this workflow does not need to run for every push.
|
|
action-not-sha-pinned:
samples/bad/build.yml#L13
Third-party action 'acme/example-action@main' is not pinned to a full commit SHA. Suggestion%3A Pin third-party actions to a full 40-character commit SHA when you need stricter supply-chain security.
|