Scope down GitHub Token permissions #689
Workflow file for this run
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | name: Send Notifications to Slack | |
| on: | |
| pull_request: | |
| types: [opened, reopened] | |
| issues: | |
| types: [opened] | |
| issue_comment: | |
| types: [created] | |
| permissions: | |
| contents: read | |
| jobs: | |
| issue-notifications: | |
| name: Send Notifications | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/github-script@v7 | |
| id: sanitize-title | |
| with: | |
| script: | | |
| const isPR = !!context.payload.pull_request; | |
| const isIssue = !!context.payload.issue; | |
| const item = isPR ? context.payload.pull_request : isIssue ? context.payload.issue : context.payload.issue_comment.issue; | |
| // Sanitization functions | |
| const sanitizeTitle = (title) => { | |
| return title | |
| // Remove potential markdown formatting | |
| .replace(/[*_~`]/g, '') | |
| // Remove potential HTML tags | |
| .replace(/<[^>]*>/g, '') | |
| // Remove multiple spaces | |
| .replace(/\s{2,}/g, ' ') | |
| // Trim whitespace | |
| .trim() | |
| // Enforce max length of 100 | |
| .substring(0, 100); | |
| }; | |
| // Escape special characters for Slack | |
| const escapeForSlack = (text) => { | |
| return text | |
| .replace(/"/g, '"') | |
| .replace(/&/g, '&') | |
| .replace(/</g, '<') | |
| .replace(/[@]/g, '\\@') | |
| .replace(/>/g, '>') | |
| .replace(/&lt;/g, '<') | |
| .replace(/&gt;/g, '>'); | |
| }; | |
| const sanitizedTitle = escapeForSlack(sanitizeTitle(item.title)); | |
| console.log('Sanitized Title: ', sanitizedTitle); | |
| core.setOutput('safe-title', sanitizedTitle); | |
| - name: Send notifications on Pull Request | |
| if: ${{ github.event_name == 'pull_request'}} | |
| id: slack_PR | |
| uses: slackapi/[email protected] | |
| with: | |
| payload: | | |
| { | |
| "Notification Type": "Pull Request", | |
| "Notification URL":"${{ github.event.pull_request.html_url }}", | |
| "GitHub Repo": "${{ github.repository }}", | |
| "Notification Title": "${{ steps.sanitize-title.outputs.safe-title }}" | |
| } | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| - name: Send notification on new issues | |
| if: ${{github.event_name == 'issues'}} | |
| id: slack_issue | |
| uses: slackapi/[email protected] | |
| with: | |
| payload: | | |
| { | |
| "Notification Type": "Issue", | |
| "Notification URL":"${{ github.event.issue.html_url }}", | |
| "GitHub Repo": "${{ github.repository }}", | |
| "Notification Title": "${{ steps.sanitize-title.outputs.safe-title }}" | |
| } | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| - name: Send notification on Issues and Pull Requests Comments | |
| if: ${{github.event_name == 'issue_comment'}} | |
| id: slack_issue_comment | |
| uses: slackapi/[email protected] | |
| with: | |
| payload: | | |
| { | |
| "Notification Type": "Issue comment", | |
| "Notification URL":"${{ github.event.comment.html_url }}", | |
| "GitHub Repo": "${{ github.repository }}", | |
| "Notification Title": "${{ steps.sanitize-title.outputs.safe-title }}" | |
| } | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |