From e2cea6121a7b7f82693c05f63921a977ccd9a411 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sat, 3 Dec 2022 17:47:30 +0200
Subject: Harden GitHub Workflows security (#8664)

---
 .github/workflows/automation.yml  | 1 +
 .github/workflows/commands.yml    | 4 ++++
 .github/workflows/openapi.yml     | 5 +++++
 .github/workflows/repo-stale.yaml | 1 +
 4 files changed, 11 insertions(+)

(limited to '.github/workflows')

diff --git a/.github/workflows/automation.yml b/.github/workflows/automation.yml
index 0989df64b9..2dc7fb5a3e 100644
--- a/.github/workflows/automation.yml
+++ b/.github/workflows/automation.yml
@@ -7,6 +7,7 @@ on:
   pull_request_target:
   issue_comment:
 
+permissions: {}
 jobs:
   label:
     name: Labeling
diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml
index a29519b296..f7fbc4706d 100644
--- a/.github/workflows/commands.yml
+++ b/.github/workflows/commands.yml
@@ -9,6 +9,7 @@ on:
       - labeled
       - synchronize
 
+permissions: {}
 jobs:
   rebase:
     name: Rebase
@@ -34,6 +35,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.JF_BOT_TOKEN }}
 
   check-backport:
+    permissions:
+      contents: read
+
     name: Check Backport
     if: ${{ ( github.event.issue.pull_request && contains(github.event.comment.body, '@jellyfin-bot check backport') ) || github.event.label.name == 'stable backport' || contains(github.event.pull_request.labels.*.name, 'stable backport' ) }}
     runs-on: ubuntu-latest
diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml
index 390d140fd5..a82579f1b1 100644
--- a/.github/workflows/openapi.yml
+++ b/.github/workflows/openapi.yml
@@ -5,6 +5,8 @@ on:
       - master
   pull_request_target:
 
+permissions: {}
+
 jobs:
   openapi-head:
     name: OpenAPI - HEAD
@@ -55,6 +57,9 @@ jobs:
           path: tests/Jellyfin.Server.Integration.Tests/bin/Release/net6.0/openapi.json
 
   openapi-diff:
+    permissions:
+      pull-requests: write  #  to create or update comment (peter-evans/create-or-update-comment)
+
     name: OpenAPI - Difference
     if: ${{ github.event_name == 'pull_request_target' }}
     runs-on: ubuntu-latest
diff --git a/.github/workflows/repo-stale.yaml b/.github/workflows/repo-stale.yaml
index f7a77f02b1..1c6fe1492f 100644
--- a/.github/workflows/repo-stale.yaml
+++ b/.github/workflows/repo-stale.yaml
@@ -5,6 +5,7 @@ on:
     - cron: '30 1 * * *'
   workflow_dispatch:
 
+permissions: {}
 jobs:
   stale:
     runs-on: ubuntu-latest
-- 
cgit v1.2.3


From be17e742f156a0fbb25b1438d6457b9690c59f13 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Sat, 3 Dec 2022 08:48:05 -0700
Subject: chore(deps): update github/codeql-action digest to b2a92eb (#8834)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/codeql-analysis.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to '.github/workflows')

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index adca9680fb..677bfc3dfc 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -27,11 +27,11 @@ jobs:
         dotnet-version: '6.0.x'
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@312e093a1892bd801f026f1090904ee8e460b9b6 # v2
+      uses: github/codeql-action/init@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2
       with:
         languages: ${{ matrix.language }}
         queries: +security-extended
     - name: Autobuild
-      uses: github/codeql-action/autobuild@312e093a1892bd801f026f1090904ee8e460b9b6 # v2
+      uses: github/codeql-action/autobuild@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@312e093a1892bd801f026f1090904ee8e460b9b6 # v2
+      uses: github/codeql-action/analyze@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2
-- 
cgit v1.2.3


From 6f231094d590959a375b2675e384ef7ccbba7581 Mon Sep 17 00:00:00 2001
From: Bond_009 <bond.009@outlook.com>
Date: Wed, 9 Nov 2022 15:28:52 +0100
Subject: Update CI to .NET 7

---
 .ci/azure-pipelines-abi.yml           |  2 +-
 .ci/azure-pipelines-main.yml          |  2 +-
 .ci/azure-pipelines-package.yml       |  4 ++--
 .ci/azure-pipelines-test.yml          |  4 ++--
 .github/workflows/codeql-analysis.yml |  4 ++--
 .github/workflows/openapi.yml         | 12 ++++++------
 6 files changed, 14 insertions(+), 14 deletions(-)

(limited to '.github/workflows')

diff --git a/.ci/azure-pipelines-abi.yml b/.ci/azure-pipelines-abi.yml
index cf74a4201b..4b82eedb45 100644
--- a/.ci/azure-pipelines-abi.yml
+++ b/.ci/azure-pipelines-abi.yml
@@ -7,7 +7,7 @@ parameters:
   default: "ubuntu-latest"
 - name: DotNetSdkVersion
   type: string
-  default: 6.0.x
+  default: 7.0.x
 
 jobs:
   - job: CompatibilityCheck
diff --git a/.ci/azure-pipelines-main.yml b/.ci/azure-pipelines-main.yml
index b7112ba245..f3ba4b8898 100644
--- a/.ci/azure-pipelines-main.yml
+++ b/.ci/azure-pipelines-main.yml
@@ -1,7 +1,7 @@
 parameters:
   LinuxImage: 'ubuntu-latest'
   RestoreBuildProjects: 'Jellyfin.Server/Jellyfin.Server.csproj'
-  DotNetSdkVersion: 6.0.x
+  DotNetSdkVersion: 7.0.x
 
 jobs:
   - job: Build
diff --git a/.ci/azure-pipelines-package.yml b/.ci/azure-pipelines-package.yml
index 926d1d3224..83504fefef 100644
--- a/.ci/azure-pipelines-package.yml
+++ b/.ci/azure-pipelines-package.yml
@@ -205,10 +205,10 @@ jobs:
 
   steps:
   - task: UseDotNet@2
-    displayName: 'Use .NET 6.0 sdk'
+    displayName: 'Use .NET 7.0 sdk'
     inputs:
       packageType: 'sdk'
-      version: '6.0.x'
+      version: '7.0.x'
 
   - task: DotNetCoreCLI@2
     displayName: 'Build Stable Nuget packages'
diff --git a/.ci/azure-pipelines-test.yml b/.ci/azure-pipelines-test.yml
index cc94dc2c5a..81362aab23 100644
--- a/.ci/azure-pipelines-test.yml
+++ b/.ci/azure-pipelines-test.yml
@@ -10,7 +10,7 @@ parameters:
   default: "tests/**/*Tests.csproj"
 - name: DotNetSdkVersion
   type: string
-  default: 6.0.x
+  default: 7.0.x
 
 jobs:
   - job: Test
@@ -94,5 +94,5 @@ jobs:
         displayName: 'Publish OpenAPI Artifact'
         condition: and(succeeded(), eq(variables['Agent.OS'], 'Linux'))
         inputs:
-          targetPath: "tests/Jellyfin.Server.Integration.Tests/bin/Release/net6.0/openapi.json"
+          targetPath: "tests/Jellyfin.Server.Integration.Tests/bin/Release/net7.0/openapi.json"
           artifactName: 'OpenAPI Spec'
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 677bfc3dfc..f385aecb64 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -21,10 +21,10 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3
-    - name: Setup .NET Core
+    - name: Setup .NET
       uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a # tag=v3
       with:
-        dotnet-version: '6.0.x'
+        dotnet-version: '7.0.x'
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2
diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml
index a82579f1b1..d7ace118b2 100644
--- a/.github/workflows/openapi.yml
+++ b/.github/workflows/openapi.yml
@@ -18,10 +18,10 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
-      - name: Setup .NET Core
+      - name: Setup .NET
         uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a # tag=v3
         with:
-          dotnet-version: '6.0.x'
+          dotnet-version: '7.0.x'
       - name: Generate openapi.json
         run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests"
       - name: Upload openapi.json
@@ -30,7 +30,7 @@ jobs:
           name: openapi-head
           retention-days: 14
           if-no-files-found: error
-          path: tests/Jellyfin.Server.Integration.Tests/bin/Release/net6.0/openapi.json
+          path: tests/Jellyfin.Server.Integration.Tests/bin/Release/net7.0/openapi.json
 
   openapi-base:
     name: OpenAPI - BASE
@@ -42,10 +42,10 @@ jobs:
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3
         with:
           ref: ${{ github.base_ref }}
-      - name: Setup .NET Core
+      - name: Setup .NET
         uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a # tag=v3
         with:
-          dotnet-version: '6.0.x'
+          dotnet-version: '7.0.x'
       - name: Generate openapi.json
         run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests"
       - name: Upload openapi.json
@@ -54,7 +54,7 @@ jobs:
           name: openapi-base
           retention-days: 14
           if-no-files-found: error
-          path: tests/Jellyfin.Server.Integration.Tests/bin/Release/net6.0/openapi.json
+          path: tests/Jellyfin.Server.Integration.Tests/bin/Release/net7.0/openapi.json
 
   openapi-diff:
     permissions:
-- 
cgit v1.2.3