From daf88a5ca26f7f54d8258d10d59035c4b4c2ab92 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 17 Feb 2026 06:49:00 +0000 Subject: Update actions/stale action to v10.2.0 --- .github/workflows/issue-stale.yml | 2 +- .github/workflows/pull-request-stale.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/issue-stale.yml b/.github/workflows/issue-stale.yml index cb535297e0..339fcf569e 100644 --- a/.github/workflows/issue-stale.yml +++ b/.github/workflows/issue-stale.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest if: ${{ contains(github.repository, 'jellyfin/') }} steps: - - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1 + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: repo-token: ${{ secrets.JF_BOT_TOKEN }} ascending: true diff --git a/.github/workflows/pull-request-stale.yaml b/.github/workflows/pull-request-stale.yaml index 0d74e643e2..e114276c28 100644 --- a/.github/workflows/pull-request-stale.yaml +++ b/.github/workflows/pull-request-stale.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest if: ${{ contains(github.repository, 'jellyfin/') }} steps: - - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1 + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: repo-token: ${{ secrets.JF_BOT_TOKEN }} ascending: true -- cgit v1.2.3 From 01eb56f04753381bdc8d4a9d2b16d0901bb69afc Mon Sep 17 00:00:00 2001 From: Andrew Rabert Date: Thu, 19 Feb 2026 23:53:48 -0500 Subject: Mitigate pull_request_target privilege escalation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hotfix — replaces pull_request_target with pull_request to stop granting write permissions and secrets to fork PRs. Some workflows will break; can be fixed properly later. --- .github/workflows/ci-compat.yml | 4 ++-- .github/workflows/ci-openapi.yml | 6 +++--- .github/workflows/commands.yml | 2 +- .github/workflows/project-automation.yml | 2 +- .github/workflows/pull-request-conflict.yml | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/ci-compat.yml b/.github/workflows/ci-compat.yml index 23a82a1b2b..8e3717b332 100644 --- a/.github/workflows/ci-compat.yml +++ b/.github/workflows/ci-compat.yml @@ -1,6 +1,6 @@ name: ABI Compatibility on: - pull_request_target: + pull_request: permissions: {} @@ -77,7 +77,7 @@ jobs: pull-requests: write # to create or update comment (peter-evans/create-or-update-comment) name: ABI - Difference - if: ${{ github.event_name == 'pull_request_target' }} + if: ${{ github.event_name == 'pull_request' }} runs-on: ubuntu-latest needs: - abi-head diff --git a/.github/workflows/ci-openapi.yml b/.github/workflows/ci-openapi.yml index 08eedd54f7..3d04ac5e0b 100644 --- a/.github/workflows/ci-openapi.yml +++ b/.github/workflows/ci-openapi.yml @@ -5,7 +5,7 @@ on: - master tags: - 'v*' - pull_request_target: + pull_request: permissions: {} @@ -78,7 +78,7 @@ jobs: pull-requests: write name: OpenAPI - Difference - if: ${{ github.event_name == 'pull_request_target' }} + if: ${{ github.event_name == 'pull_request' }} runs-on: ubuntu-latest needs: - openapi-head @@ -109,7 +109,7 @@ jobs: publish-unstable: name: OpenAPI - Publish Unstable Spec - if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }} + if: ${{ github.event_name != 'pull_request' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }} runs-on: ubuntu-latest needs: - openapi-head diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml index 2c4efcc8ca..2adb8f1010 100644 --- a/.github/workflows/commands.yml +++ b/.github/workflows/commands.yml @@ -4,7 +4,7 @@ on: types: - created - edited - pull_request_target: + pull_request: types: - labeled - synchronize diff --git a/.github/workflows/project-automation.yml b/.github/workflows/project-automation.yml index 7b29d3c817..9a9f3214a7 100644 --- a/.github/workflows/project-automation.yml +++ b/.github/workflows/project-automation.yml @@ -4,7 +4,7 @@ on: push: branches: - master - pull_request_target: + pull_request: issue_comment: permissions: {} diff --git a/.github/workflows/pull-request-conflict.yml b/.github/workflows/pull-request-conflict.yml index e6a9bf0caa..b003636a6e 100644 --- a/.github/workflows/pull-request-conflict.yml +++ b/.github/workflows/pull-request-conflict.yml @@ -4,7 +4,7 @@ on: push: branches: - master - pull_request_target: + pull_request: issue_comment: permissions: {} @@ -16,7 +16,7 @@ jobs: steps: - name: Apply label uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3 - if: ${{ github.event_name == 'push' || github.event_name == 'pull_request_target'}} + if: ${{ github.event_name == 'push' || github.event_name == 'pull_request'}} with: dirtyLabel: 'merge conflict' commentOnDirty: 'This pull request has merge conflicts. Please resolve the conflicts so the PR can be successfully reviewed and merged.' -- cgit v1.2.3 From 716f4c81982bbb31eab92b774633bf95cece44b9 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 15:41:35 +0000 Subject: Update github/codeql-action action to v4.32.4 --- .github/workflows/ci-codeql-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/ci-codeql-analysis.yml b/.github/workflows/ci-codeql-analysis.yml index 10fb775fea..66fa73d25b 100644 --- a/.github/workflows/ci-codeql-analysis.yml +++ b/.github/workflows/ci-codeql-analysis.yml @@ -28,13 +28,13 @@ jobs: dotnet-version: '10.0.x' - name: Initialize CodeQL - uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3 + uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 with: languages: ${{ matrix.language }} queries: +security-extended - name: Autobuild - uses: github/codeql-action/autobuild@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3 + uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3 + uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 -- cgit v1.2.3