레슨 댓글(giscus) CSP 허용 — script-src/frame-src에 giscus.app 추가 #304
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| schedule: | |
| - cron: "17 3 * * 1" | |
| # scorecard publish_results는 top-level 권한이 read-only여야 한다(scorecard-action | |
| # workflow-restrictions). write 권한은 그것이 필요한 job-level에서만 선언한다. | |
| permissions: | |
| contents: read | |
| jobs: | |
| codeql: | |
| name: CodeQL | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [python, javascript-typescript] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| - uses: github/codeql-action/analyze@v4 | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| # fork PR은 제한된 토큰이라 dependency review API에 접근하지 못해 "not supported"로 | |
| # 실패할 수 있다. 검토는 advisory로 계속 돌리되 워크플로를 실패시키지 않는다. | |
| continue-on-error: true | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/dependency-review-action@v4 | |
| scorecard: | |
| name: OpenSSF Scorecard | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - uses: ossf/scorecard-action@v2.4.3 | |
| with: | |
| results_file: scorecard.sarif | |
| results_format: sarif | |
| publish_results: true | |
| - uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: scorecard.sarif |