chore: security update (#4447)

2025-07-22 12:20:34 +00:00 · 2025-04-03 21:58:32 +08:00
parent 7a0747947c
commit ff92dced98
8 changed files with 65 additions and 77 deletions
--- a/.github/workflows/docs-preview.yml
+++ b/.github/workflows/docs-preview.yml
@@ -1,7 +1,7 @@
 name: Preview FastGPT docs

 on:
-  pull_request_target:
+  pull_request:
    paths:
      - 'docSite/**'
  workflow_dispatch:
@@ -72,6 +72,8 @@ jobs:
          alias-domains: | #Optional
            fastgpt-staging.vercel.app
  docsOutput:
+    permissions:
+      pull-requests: write
    needs: [deploy-preview]
    runs-on: ubuntu-latest
    steps:
@@ -79,18 +81,13 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          repository: ${{ github.event.pull_request.head.repo.full_name }}
-      - name: Write md
-        run: |
-          echo "# 🤖 Generated by deploy action" > report.md
-          echo "[👀 Visit Preview](${{ needs.deploy-preview.outputs.url }})" >> report.md
-          cat report.md
-      - name: Gh Rebot for Sealos
-        uses: labring/gh-rebot@v0.0.6
-        if: ${{ (github.event_name == 'pull_request_target') }}
+      - uses: actions/github-script@v7
        with:
-          version: v0.0.6
-        env:
-          GH_TOKEN: '${{ secrets.GH_PAT }}'
-          SEALOS_TYPE: 'pr_comment'
-          SEALOS_FILENAME: 'report.md'
-          SEALOS_REPLACE_TAG: 'DEFAULT_REPLACE_DEPLOY'
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: '[👀 Visit Preview](${{ needs.deploy-preview.outputs.url }})'
+            })
--- a/.github/workflows/docs-sync_imgs.yml
+++ b/.github/workflows/docs-sync_imgs.yml
@@ -1,6 +1,6 @@
 name: Sync images
 on:
-  pull_request_target:
+  pull_request:
    branches:
      - main
    paths:
@@ -15,13 +15,6 @@ jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        if: ${{ (github.event_name == 'pull_request_target') }}
-        with:
-          ref: ${{ github.event.pull_request.head.ref }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-
      - name: Checkout
        uses: actions/checkout@v3

@@ -32,4 +25,4 @@ jobs:
          CONFIG_PATH: .github/sync_imgs.yml
          ORIGINAL_MESSAGE: true
          SKIP_PR: true
-          COMMIT_EACH_FILE: false
+          COMMIT_EACH_FILE: false
--- a/.github/workflows/fastgpt-build-image-personal.yml
+++ b/.github/workflows/fastgpt-build-image-personal.yml
@@ -9,6 +9,11 @@ on:
      - 'main'
 jobs:
  build-fastgpt-images:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
    runs-on: ubuntu-20.04
    if: github.repository != 'labring/FastGPT'
    steps:
@@ -32,7 +37,7 @@ jobs:
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GH_PAT }}
+          password: ${{ secret.GITHUB_TOKEN }}
      - name: Set DOCKER_REPO_TAGGED based on branch or tag
        run: |
          echo "DOCKER_REPO_TAGGED=ghcr.io/${{ github.repository_owner }}/fastgpt:latest" >> $GITHUB_ENV
--- a/.github/workflows/fastgpt-build-image.yml
+++ b/.github/workflows/fastgpt-build-image.yml
@@ -9,6 +9,11 @@ on:
      - 'v*'
 jobs:
  build-fastgpt-images:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
    runs-on: ubuntu-20.04
    steps:
      # install env
@@ -39,7 +44,7 @@ jobs:
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GH_PAT }}
+          password: ${{ secret.GITHUB_TOKEN }}
      - name: Login to Ali Hub
        uses: docker/login-action@v2
        with:
@@ -91,6 +96,11 @@ jobs:
          -t ${Docker_Hub_Latest} \
          .
  build-fastgpt-images-sub-route:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
    runs-on: ubuntu-20.04
    steps:
      # install env
@@ -121,7 +131,7 @@ jobs:
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GH_PAT }}
+          password: ${{ secret.GITHUB_TOKEN }}
      - name: Login to Ali Hub
        uses: docker/login-action@v2
        with:
@@ -174,6 +184,11 @@ jobs:
          -t ${Docker_Hub_Latest} \
          .
  build-fastgpt-images-sub-route-gchat:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
    runs-on: ubuntu-20.04
    steps:
      # install env
@@ -204,7 +219,7 @@ jobs:
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GH_PAT }}
+          password: ${{ secret.GITHUB_TOKEN }}
      - name: Login to Ali Hub
        uses: docker/login-action@v2
        with:
--- a/.github/workflows/fastgpt-preview-image.yml
+++ b/.github/workflows/fastgpt-preview-image.yml
@@ -1,10 +1,15 @@
 name: Preview FastGPT images
 on:
-  pull_request_target:
+  pull_request:
  workflow_dispatch:

 jobs:
  preview-fastgpt-images:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
@@ -48,20 +53,13 @@ jobs:
          --cache-to=type=local,dest=/tmp/.buildx-cache \
          -t ${DOCKER_REPO_TAGGED} \
          .
-      # Add write md step after build
-      - name: Write md
-        run: |
-          echo "# 🤖 Generated by deploy action" > report.md
-          echo "📦 Preview Image: \`${DOCKER_REPO_TAGGED}\`" >> report.md
-          cat report.md
-
-      - name: Gh Rebot for Sealos
-        uses: labring/gh-rebot@v0.0.6
-        if: ${{ (github.event_name == 'pull_request_target') }}
+      - uses: actions/github-script@v7
        with:
-          version: v0.0.6
-        env:
-          GH_TOKEN: '${{ secrets.GH_PAT }}'
-          SEALOS_TYPE: 'pr_comment'
-          SEALOS_FILENAME: 'report.md'
-          SEALOS_REPLACE_TAG: 'DEFAULT_REPLACE_DEPLOY'
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: 'Preview Image: ${{ env.DOCKER_REPO_TAGGED }}'
+            })
--- a/.github/workflows/helm-release.yaml
+++ b/.github/workflows/helm-release.yaml
@@ -8,6 +8,11 @@ on:

 jobs:
  helm:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
@@ -20,7 +25,7 @@ jobs:
        run: echo "tag=$(git describe --tags)" >> $GITHUB_OUTPUT
      - name: Release Helm
        run: |
-          echo ${{ secrets.GH_PAT }} | helm registry login ghcr.io -u ${{ github.repository_owner }} --password-stdin
+          echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io -u ${{ github.repository_owner }} --password-stdin
          export APP_VERSION=${{ steps.vars.outputs.tag }}
          export HELM_VERSION=${{ steps.vars.outputs.tag }}
          export HELM_REPO=ghcr.io/${{ github.repository_owner }}
--- a/.github/workflows/sandbox-build-image.yml
+++ b/.github/workflows/sandbox-build-image.yml
@@ -8,6 +8,11 @@ on:
      - 'v*'
 jobs:
  build-fastgpt-sandbox-images:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
    runs-on: ubuntu-20.04
    steps:
      # install env
@@ -38,7 +43,7 @@ jobs:
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GH_PAT }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to Ali Hub
        uses: docker/login-action@v2
        with: