chore: Set permissions for GitHub actions #11295

neilnaveen · 2022-06-28T01:08:27Z

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Signed-off-by: neilnaveen 42328488+neilnaveen@users.noreply.github.com

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>

cla-bot · 2022-06-28T01:08:29Z

Thank you for your contribution! We require all contributors to sign our Contributor License Agreement, and we do not have a record of your signature on file. In order for us to review and merge your code, please head over to https://www.mautic.org/contributor-agreement and complete the form. There may be a short delay while the team add you as a contributor - please be patient :). Any problems contact the Product Team on Slack (get an invite at https://mautic.org/slack). CLA has not been signed by @neilnaveen.

RCheesley · 2022-07-05T10:35:49Z

@cla-bot check

cla-bot · 2022-07-05T10:35:53Z

The CLA Bot has been sent on a mission to check against the latest list and will be back shortly with its findings!

escopecz

Good catch! I hope this won't cause problems when we run those tasks 🤞

I'd ignore the CS Fixer check as this PR is not touching any PHP file and therefore it runs the CS Fixer on the whole codebase and we have some code style inconsistencies there it seems. Not caused by this PR though.

* Fix for all foreign tables segment filter with empty/notEmpty expression (#11253) * Fix for tags empty/notEmpty segment filter * Add unit tests * Adding some tags to 2 contacts to check that !empty works and testing also empty, !empty with companies * CS fixes Co-authored-by: John Linhart <admin@escope.cz> Co-authored-by: Ruth Cheesley <ruth.cheesley@acquia.com> * change lead to company trans key (#11300) Co-authored-by: John Linhart <admin@escope.cz> * Pending query optimization (#11260) * ensure the app folder is seen as the 4.3.x instead of a specific version (#11213) * align lock file with change from #11203 (#11218) * docs: add uzegonemad as a contributor for code (#11244) * docs: update README.md [skip ci] * docs: update .all-contributorsrc [skip ci] Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> * docs: add pety-dc as a contributor for code (#11246) * docs: update README.md [skip ci] * docs: update .all-contributorsrc [skip ci] Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> * Added message_lead_channel_channel_id index * Email pending query optimized using independent sub-queries * message_lead_channel_channel_id index reverted as the optimized query no longer uses it * EmailRepositoryTest fixed * EmailRepositoryTest increased code coverage * Added EmailRepositoryFunctionalTest to further increase code coverage * Fixing param types * Fixing pending count when some contact was deleted * Namespace fix * EmailRepositoryTest queries updated * Adding new functional test for pending count if there is an email stat with lead_id = null * email ID can be variable * CS, STAN fixes * Removing method that did not belong to this PR and is not used * Exclude contacts that are within excluded lists * MAUT-6629: Updated email of type list to consider the category prefrence. * Table prefix is set after the datasets are loaded. So we have to replace in the test * Removing test that belongs to another PR * CS, STAN fixes * Using arrow functions * CS fix * Removing test from a future PR * Fixing tests * Removing part of a feature from another PR * Test fixes * CS fix * Running "composer update --lock" after wrong git rebase conflict resolution Co-authored-by: mollux <mattias.michaux@dropsolid.com> Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> Co-authored-by: fedys <miroslav.fedeles@gmail.com> Co-authored-by: Rahul Shinde <shinde.r.a@gmail.com> * Check existing property (fixes #11299) (#11321) * Removed charLengthLimit. * Adding a functional test for a regression bug Co-authored-by: John Linhart <admin@escope.cz> * Fix user language preference over system language (#11119) * Fix user and system locale not applying on its updates * Fix failing test * Fix failing test * Fix code smell * Segment lookup_id field : use the data-action attribute if present (#11327) Co-authored-by: John Linhart <admin@escope.cz> * Fix report export to Excel with aggregated bool columns (#11298) * Fix report xls export with aggregated columns * PHPSTAN fix * Return types in ReportBundle test fixtures Co-authored-by: John Linhart <jan@linhart.email> * Use param type by declaration in ExcelExporter Co-authored-by: John Linhart <jan@linhart.email> Co-authored-by: John Linhart <admin@escope.cz> * Changes from PR#10782 rebuilded (#11319) * Fix No Data shown for Most hit email redirects dashboard widget (#11086) Co-authored-by: John Linhart <admin@escope.cz> * Add translations for new blocks (#11006) Co-authored-by: John Linhart <admin@escope.cz> * Fix special characters in form condition value (#11093) * Fix special characters in form condition value * Fix compare sanitize special chars vs plain from post for conditonal fields * Add unit tests Co-authored-by: John Linhart <admin@escope.cz> * Cancelling new campaign should not give 500 error. (#11348) Fixes #11181 Co-authored-by: John Linhart <admin@escope.cz> * doctrine-fix was removed but master branch now has PHP 8 support (#11353) * Check the type of the value before passing it into the strpos. (#11350) * Fix issue 11267 - Sending emails via API should respect useOwnerAsMailer (#11347) * if the mailer is owner use owner email as reply-to address (#11322) Co-authored-by: John Linhart <admin@escope.cz> * Tests for sending emails through Mautic's API Add test cases for the following couple of API endpoints: POST /emails/ID/send Send a segment email to linked segment(s). POST /emails/ID/contact/CONTACT_ID/send Send a predefined email to existing contact. Tests are made with mockup HTTP queries using the `request()` method of a symfony's `KernelBrowser` object whose implementation is delegated to Mautic's `AppKernel`. As for emails that would otherwise be sent to recipients, these are caught in a mockup SMTP transport object which doesn't actually send any emails, but rather it stores a copy of the last email attempted which is made accessible to the testing facilities for verification. * Test the owner signature Include a placeholer for the signature in the email message to test that the owner's signature is used when the `useOwnerAsMailer` option is enabled. * Fix issue #11267 - Sending emails via API should respect useOwnerAsMailer Sending an email using the API endpoint `POST /emails/ID/contact/CONTACT_ID/send` does not respect the email option `useOwnerAsMailer`. The expected behaviour is for an email that would be sent by Mautic it should appear to be sent by the `owner` of the contact who is the recipient, i.e. for every sent email with the `useOwnerAsMailer` option enabled, the sender's name and sender's email should belong to the `owner'. This is a small bug where the owner is not provided in the contact information passed to the mail sender. Co-authored-by: Volha Pivavarchyk <volha@aivie.ch> Co-authored-by: John Linhart <admin@escope.cz> * Use proper env variable processor for rememberme_lifetime. (#11363) * Add core lib readme and workflow to auto-close PRs (#11354) * Add GitHub workflow to close PRs on core-lib repo * create readme for core-lib folder * Update app/README.md Co-authored-by: John Linhart <admin@escope.cz> Co-authored-by: John Linhart <admin@escope.cz> * 4.4.1 release bump (#11367) * Bumping to version 4.4.1 * regerenating production assets with bin/console m:a:g * Do not embed images before the email is really sent. (#11362) * Flip flipped locales. (#11364) * Hide tooltips on keydown and wait for a user to stop typing to create new tooltips. (#11383) * Skip embedding a tracking pixel. (#11390) * always create a new editor to make sure the correct one is used (#11376) * Implementing the RemoveUnusedPrivateMethodParameterRector Rector rule (#11232) * Implementing the RemoveUnusedPrivateMethodParameterRector Rector rule * CS fixes * Include <map><area/></map> into links tracking. (#11391) * Fixing "Deprecated in PHP 8.0: Required parameter $limit follows optional parameter $page." (#11394) * MAUT-5804 / Functional tests for segments * MAUT-5804 / Strict types * MAUT-5804 / Clean up after test * Improving type hints * Fixed return type hint * Namespace fix * Fixing key type * Updating accessing container as M4 has changed it * Fix property must not be accessed before initialization error * Fix gitpod for form submissions (#11409) * Update .gitpod.yml * Update .gitpod.yml * Update .gitpod.yml * Update deprecated command * chore: Set permissions for GitHub actions (#11295) Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com> Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com> * Copy to CC or BCC should send an email even if TO field is empty. (#11405) * Copy to CC or BCC should send an email even if TO field is empty. * Do not move CC and BCC to TO when sending emails. * Show form validation errors if an integration is published or if the … (#10539) * Show form validation errors if an integration is published or if the authorize button was clicked which is expected to happen before publishing. * Show form validation errors if an integration is published or if the authorize button was clicked which is expected to happen before publishing. Co-authored-by: Alan Hartless (he/him) <alan@devkardia.com> * Avoid api cache clear (#11420) * Build route cache with API even if the API is disabled Otherwise users must clear cache after they enable it and it has no measureable performance advantage in Symfony 4.4 * Removing default config values for API otherwise we cannot test for the opposite values These values are also set in AbstractMauticTestCase and can be overwritten * Adding a new test for when the API is disabled * Revert "doctrine-fix was removed but master branch now has PHP 8 support" (#11373) see #10651 (comment) This reverts commit 2951ac4. * Fix MJML issues with Brienz template (#11356) * Add changed files * adding missed files * Remove commercial references * 4.4.2 bump (#11433) * Bumping to version 4.4.2 * bin/console m:a:g Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com> Co-authored-by: Zdeno Kuzmany <zdeno@kuzmany.biz> Co-authored-by: Ruth Cheesley <ruth.cheesley@acquia.com> Co-authored-by: Norman Pracht - Webmecanik <npr@webmecanik.com> Co-authored-by: mollux <mattias.michaux@dropsolid.com> Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> Co-authored-by: fedys <miroslav.fedeles@gmail.com> Co-authored-by: Rahul Shinde <shinde.r.a@gmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: Tejas Navghane <ts.navghane@gmail.com> Co-authored-by: Benjamin Lévêque <benjamin@leveque.me> Co-authored-by: Patryk Gruszka <patryk.gruszka@comarch.pl> Co-authored-by: Anna Munk <anna.munk@comarch.pl> Co-authored-by: Volha Pivavarchyk <volha@aivie.ch> Co-authored-by: Artem Lopata <biozshock@gmail.com> Co-authored-by: abcpro1 <108011288+abcpro1@users.noreply.github.com> Co-authored-by: Adrian Schimpf <bill@aivie.ch> Co-authored-by: Lukas Sykora <lukassykora@seznam.cz> Co-authored-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com> Co-authored-by: Alan Hartless (he/him) <alan@devkardia.com>

* Fix for all foreign tables segment filter with empty/notEmpty expression (mautic#11253) * Fix for tags empty/notEmpty segment filter * Add unit tests * Adding some tags to 2 contacts to check that !empty works and testing also empty, !empty with companies * CS fixes Co-authored-by: John Linhart <admin@escope.cz> Co-authored-by: Ruth Cheesley <ruth.cheesley@acquia.com> * change lead to company trans key (mautic#11300) Co-authored-by: John Linhart <admin@escope.cz> * Pending query optimization (mautic#11260) * ensure the app folder is seen as the 4.3.x instead of a specific version (mautic#11213) * align lock file with change from mautic#11203 (mautic#11218) * docs: add uzegonemad as a contributor for code (mautic#11244) * docs: update README.md [skip ci] * docs: update .all-contributorsrc [skip ci] Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> * docs: add pety-dc as a contributor for code (mautic#11246) * docs: update README.md [skip ci] * docs: update .all-contributorsrc [skip ci] Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> * Added message_lead_channel_channel_id index * Email pending query optimized using independent sub-queries * message_lead_channel_channel_id index reverted as the optimized query no longer uses it * EmailRepositoryTest fixed * EmailRepositoryTest increased code coverage * Added EmailRepositoryFunctionalTest to further increase code coverage * Fixing param types * Fixing pending count when some contact was deleted * Namespace fix * EmailRepositoryTest queries updated * Adding new functional test for pending count if there is an email stat with lead_id = null * email ID can be variable * CS, STAN fixes * Removing method that did not belong to this PR and is not used * Exclude contacts that are within excluded lists * MAUT-6629: Updated email of type list to consider the category prefrence. * Table prefix is set after the datasets are loaded. So we have to replace in the test * Removing test that belongs to another PR * CS, STAN fixes * Using arrow functions * CS fix * Removing test from a future PR * Fixing tests * Removing part of a feature from another PR * Test fixes * CS fix * Running "composer update --lock" after wrong git rebase conflict resolution Co-authored-by: mollux <mattias.michaux@dropsolid.com> Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> Co-authored-by: fedys <miroslav.fedeles@gmail.com> Co-authored-by: Rahul Shinde <shinde.r.a@gmail.com> * Check existing property (fixes mautic#11299) (mautic#11321) * Removed charLengthLimit. * Adding a functional test for a regression bug Co-authored-by: John Linhart <admin@escope.cz> * Fix user language preference over system language (mautic#11119) * Fix user and system locale not applying on its updates * Fix failing test * Fix failing test * Fix code smell * Segment lookup_id field : use the data-action attribute if present (mautic#11327) Co-authored-by: John Linhart <admin@escope.cz> * Fix report export to Excel with aggregated bool columns (mautic#11298) * Fix report xls export with aggregated columns * PHPSTAN fix * Return types in ReportBundle test fixtures Co-authored-by: John Linhart <jan@linhart.email> * Use param type by declaration in ExcelExporter Co-authored-by: John Linhart <jan@linhart.email> Co-authored-by: John Linhart <admin@escope.cz> * Changes from PR#10782 rebuilded (mautic#11319) * Fix No Data shown for Most hit email redirects dashboard widget (mautic#11086) Co-authored-by: John Linhart <admin@escope.cz> * Add translations for new blocks (mautic#11006) Co-authored-by: John Linhart <admin@escope.cz> * Fix special characters in form condition value (mautic#11093) * Fix special characters in form condition value * Fix compare sanitize special chars vs plain from post for conditonal fields * Add unit tests Co-authored-by: John Linhart <admin@escope.cz> * Cancelling new campaign should not give 500 error. (mautic#11348) Fixes mautic#11181 Co-authored-by: John Linhart <admin@escope.cz> * doctrine-fix was removed but master branch now has PHP 8 support (mautic#11353) * Check the type of the value before passing it into the strpos. (mautic#11350) * Fix issue 11267 - Sending emails via API should respect useOwnerAsMailer (mautic#11347) * if the mailer is owner use owner email as reply-to address (mautic#11322) Co-authored-by: John Linhart <admin@escope.cz> * Tests for sending emails through Mautic's API Add test cases for the following couple of API endpoints: POST /emails/ID/send Send a segment email to linked segment(s). POST /emails/ID/contact/CONTACT_ID/send Send a predefined email to existing contact. Tests are made with mockup HTTP queries using the `request()` method of a symfony's `KernelBrowser` object whose implementation is delegated to Mautic's `AppKernel`. As for emails that would otherwise be sent to recipients, these are caught in a mockup SMTP transport object which doesn't actually send any emails, but rather it stores a copy of the last email attempted which is made accessible to the testing facilities for verification. * Test the owner signature Include a placeholer for the signature in the email message to test that the owner's signature is used when the `useOwnerAsMailer` option is enabled. * Fix issue mautic#11267 - Sending emails via API should respect useOwnerAsMailer Sending an email using the API endpoint `POST /emails/ID/contact/CONTACT_ID/send` does not respect the email option `useOwnerAsMailer`. The expected behaviour is for an email that would be sent by Mautic it should appear to be sent by the `owner` of the contact who is the recipient, i.e. for every sent email with the `useOwnerAsMailer` option enabled, the sender's name and sender's email should belong to the `owner'. This is a small bug where the owner is not provided in the contact information passed to the mail sender. Co-authored-by: Volha Pivavarchyk <volha@aivie.ch> Co-authored-by: John Linhart <admin@escope.cz> * Use proper env variable processor for rememberme_lifetime. (mautic#11363) * Add core lib readme and workflow to auto-close PRs (mautic#11354) * Add GitHub workflow to close PRs on core-lib repo * create readme for core-lib folder * Update app/README.md Co-authored-by: John Linhart <admin@escope.cz> Co-authored-by: John Linhart <admin@escope.cz> * 4.4.1 release bump (mautic#11367) * Bumping to version 4.4.1 * regerenating production assets with bin/console m:a:g * Do not embed images before the email is really sent. (mautic#11362) * Flip flipped locales. (mautic#11364) * Hide tooltips on keydown and wait for a user to stop typing to create new tooltips. (mautic#11383) * Skip embedding a tracking pixel. (mautic#11390) * always create a new editor to make sure the correct one is used (mautic#11376) * Implementing the RemoveUnusedPrivateMethodParameterRector Rector rule (mautic#11232) * Implementing the RemoveUnusedPrivateMethodParameterRector Rector rule * CS fixes * Include <map><area/></map> into links tracking. (mautic#11391) * Fixing "Deprecated in PHP 8.0: Required parameter $limit follows optional parameter $page." (mautic#11394) * MAUT-5804 / Functional tests for segments * MAUT-5804 / Strict types * MAUT-5804 / Clean up after test * Improving type hints * Fixed return type hint * Namespace fix * Fixing key type * Updating accessing container as M4 has changed it * Fix property must not be accessed before initialization error * Fix gitpod for form submissions (mautic#11409) * Update .gitpod.yml * Update .gitpod.yml * Update .gitpod.yml * Update deprecated command * chore: Set permissions for GitHub actions (mautic#11295) Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com> Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com> * Copy to CC or BCC should send an email even if TO field is empty. (mautic#11405) * Copy to CC or BCC should send an email even if TO field is empty. * Do not move CC and BCC to TO when sending emails. * Show form validation errors if an integration is published or if the … (mautic#10539) * Show form validation errors if an integration is published or if the authorize button was clicked which is expected to happen before publishing. * Show form validation errors if an integration is published or if the authorize button was clicked which is expected to happen before publishing. Co-authored-by: Alan Hartless (he/him) <alan@devkardia.com> * Avoid api cache clear (mautic#11420) * Build route cache with API even if the API is disabled Otherwise users must clear cache after they enable it and it has no measureable performance advantage in Symfony 4.4 * Removing default config values for API otherwise we cannot test for the opposite values These values are also set in AbstractMauticTestCase and can be overwritten * Adding a new test for when the API is disabled * Revert "doctrine-fix was removed but master branch now has PHP 8 support" (mautic#11373) see mautic#10651 (comment) This reverts commit 2951ac4. * Fix MJML issues with Brienz template (mautic#11356) * Add changed files * adding missed files * Remove commercial references * 4.4.2 bump (mautic#11433) * Bumping to version 4.4.2 * bin/console m:a:g Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com> Co-authored-by: Zdeno Kuzmany <zdeno@kuzmany.biz> Co-authored-by: Ruth Cheesley <ruth.cheesley@acquia.com> Co-authored-by: Norman Pracht - Webmecanik <npr@webmecanik.com> Co-authored-by: mollux <mattias.michaux@dropsolid.com> Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> Co-authored-by: fedys <miroslav.fedeles@gmail.com> Co-authored-by: Rahul Shinde <shinde.r.a@gmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: Tejas Navghane <ts.navghane@gmail.com> Co-authored-by: Benjamin Lévêque <benjamin@leveque.me> Co-authored-by: Patryk Gruszka <patryk.gruszka@comarch.pl> Co-authored-by: Anna Munk <anna.munk@comarch.pl> Co-authored-by: Volha Pivavarchyk <volha@aivie.ch> Co-authored-by: Artem Lopata <biozshock@gmail.com> Co-authored-by: abcpro1 <108011288+abcpro1@users.noreply.github.com> Co-authored-by: Adrian Schimpf <bill@aivie.ch> Co-authored-by: Lukas Sykora <lukassykora@seznam.cz> Co-authored-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com> Co-authored-by: Alan Hartless (he/him) <alan@devkardia.com>

cla-bot bot added the cla-signed The PR contributors have signed the contributors agreement label Jul 5, 2022

escopecz changed the base branch from 4.x to 4.4 July 8, 2022 14:10

escopecz approved these changes Jul 8, 2022

View reviewed changes

escopecz added pending-test-confirmation PR's that require one test before they can be merged CI Anything related to CI (Continuous Integration) bug Issues or PR's relating to bugs labels Jul 8, 2022

biozshock approved these changes Aug 19, 2022

View reviewed changes

escopecz added ready-to-commit PR's with 2 successful tests, 1 approval, automated tests and docs and is ready to be merged and removed pending-test-confirmation PR's that require one test before they can be merged labels Aug 29, 2022

escopecz added this to the 4.4.2 milestone Aug 29, 2022

escopecz self-assigned this Aug 29, 2022

escopecz merged commit 3db3a20 into mautic:4.4 Aug 29, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

chore: Set permissions for GitHub actions #11295

chore: Set permissions for GitHub actions #11295

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chore: Set permissions for GitHub actions #11295

chore: Set permissions for GitHub actions #11295

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!