Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Implement CI updates, funding config, and dependency automation #30

Merged
merged 4 commits into from
Jan 30, 2025
Merged

Implement CI updates, funding config, and dependency automation #30

merged 4 commits into from
Jan 30, 2025

Conversation

saschpe
Copy link
Owner

@saschpe saschpe commented Jan 30, 2025

Description of the Change

This pull request introduces several enhancements to the project repository:

  • GitHub Actions Permissions: Updated the workflow to include contents: read in permissions, ensuring adherence to the principle of least privilege.
  • CI Trigger Conditions: Modified the CI pipeline to trigger only for specific changes, enhancing efficiency and clarity.
  • Funding Configuration: Added FUNDING.yml to display sponsorship options for contributors.
  • Dependabot Configuration: Introduced .github/dependabot.yml to automate weekly dependency updates for Gradle and GitHub Actions.

These changes collectively improve workflow security, efficiency, and support for ongoing maintenance.

Benefits

  • Improved security by enforcing least privilege for CI workflows.
  • Increased clarity in CI processing by refining triggers.
  • Better project sustainability with funding options and automated dependency updates.

Possible Drawbacks

No known drawbacks anticipated at this stage.

Verification Process

  • Verified workflow permissions behave as expected with reduced access.
  • Tested CI triggering under various conditions to ensure it only runs for valid changes.
  • Confirmed FUNDING.yml displays sponsor links as per GitHub guidelines.
  • Manually validated Dependabot integration with test repositories.

Applicable Issues

None

@saschpe
Add Dependabot configuration for Gradle and GitHub Actions
e7977fe 
This commit introduces a `.github/dependabot.yml` file to automate
dependency updates. Gradle and GitHub Actions dependencies will be
checked weekly to ensure the project stays up-to-date and secure.
@saschpe
Add FUNDING.yml to enable sponsor links on GitHub
5b721e7 
This file introduces funding configuration to display sponsorship
options directly in the repository. It helps contributors and users
support the project financially.
@saschpe
GitHub Actions: Update CI trigger conditions for push and pull requests
7bcf574 
The workflow now triggers only for pushes to 'main' and ignores changes
to specific files like .gitignore, LICENSE, and README.md. Additionally,
it triggers on pull requests targeting the 'main' branch, enhancing
clarity and efficiency in pipeline execution.
@saschpe
GitHub Actions: Set read-only permissions for workflow
83b3ba4 
Added `contents: read` to the permissions block in `main.yml`. This
change ensures the workflow adheres to the principle of least privilege
by limiting its access scope.
@saschpe saschpe self-assigned this Jan 30, 2025
@saschpe saschpe added the enhancement New feature or request label Jan 30, 2025
@saschpe saschpe merged commit e428d3f into main Jan 30, 2025
6 checks passed
@saschpe saschpe deleted the saschpe.actions branch January 30, 2025 10:08
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees

@saschpe saschpe

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@saschpe