From 2730773389d19c256d435b0d32be28942b10da84 Mon Sep 17 00:00:00 2001 From: Claire Song Date: Thu, 21 May 2026 10:46:30 -0400 Subject: [PATCH 1/2] Add supply chain security defaults Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/dependabot.yml | 2 ++ .github/workflows/fetch-licenses.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 76896a8..dddb2f1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,5 +3,7 @@ version: 2 updates: - package-ecosystem: github-actions directory: "/" + cooldown: + default-days: 3 schedule: interval: daily diff --git a/.github/workflows/fetch-licenses.yaml b/.github/workflows/fetch-licenses.yaml index 60e4e40..c1288e8 100644 --- a/.github/workflows/fetch-licenses.yaml +++ b/.github/workflows/fetch-licenses.yaml @@ -13,6 +13,8 @@ on: jobs: fetch-licenses: runs-on: ubuntu-latest + # TODO(security): Confirm this scheduled license update workflow still requires + # write-scoped GITHUB_TOKEN permissions to open/update pull requests. permissions: contents: write pull-requests: write From acf49300db682d1ad1c565a0d215ce0e3ffc4f72 Mon Sep 17 00:00:00 2001 From: Claire Song Date: Thu, 21 May 2026 15:08:51 -0400 Subject: [PATCH 2/2] Remove redundant permissions TODO Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/fetch-licenses.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/fetch-licenses.yaml b/.github/workflows/fetch-licenses.yaml index c1288e8..60e4e40 100644 --- a/.github/workflows/fetch-licenses.yaml +++ b/.github/workflows/fetch-licenses.yaml @@ -13,8 +13,6 @@ on: jobs: fetch-licenses: runs-on: ubuntu-latest - # TODO(security): Confirm this scheduled license update workflow still requires - # write-scoped GITHUB_TOKEN permissions to open/update pull requests. permissions: contents: write pull-requests: write