deactivate actions-versions-updater.yml (handled by dependabot now), …

…finishing touches

.github/workflows/add-to-project.yml

@@ -5,7 +5,7 @@ on:
     types:
       - opened
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:

.github/workflows/bump-version.yml

@@ -23,7 +23,7 @@ on:
       - tox.ini
       - xclim/__init__.py
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:

.github/workflows/cache-cleaner.yml

@@ -5,7 +5,7 @@ on:
     types:
       - closed
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:

.github/workflows/first-pull-request.yml

@@ -5,7 +5,7 @@ on:
     types:
       - opened
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:

.github/workflows/label-on-approval.yml

@@ -68,7 +68,7 @@ jobs:
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-author: 'github-actions[bot]'
-          body-includes: This Pull Request is coming from a fork and must be manually tagged `approved` in order to perform additional testing
+          body-includes: This Pull Request is coming from a fork and must be manually tagged `approved` in order to perform additional testing.
       - name: Create comment
         if: |
           (steps.fc.outputs.comment-id == '') &&

.github/workflows/label.yml

@@ -6,10 +6,15 @@
 # https://github.com/actions/labeler/blob/master/README.md
 
 name: Labeler
-on: [pull_request_target]
+on:
   # Note: potential security risk from this action using pull_request_target.
   # Do not add actions in here which need a checkout of the repo, and do not use any caching in here.
   # See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
 
 permissions:
   contents: read
@@ -30,6 +35,7 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
+
       - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/publish-mastodon.yml

@@ -15,7 +15,7 @@ on:
         default: true
         type: boolean
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:

.github/workflows/publish-pypi.yml

@@ -5,7 +5,7 @@ on:
     types:
       - published
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:

.github/workflows/scorecard.yml

@@ -12,7 +12,8 @@ on:
   schedule:
     - cron: '41 8 * * 4'
   push:
-    branches: [ "master" ]
+    branches:
+      - master
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -26,9 +27,6 @@ jobs:
       security-events: write
       # Needed to publish results and get a badge (see publish_results below).
       id-token: write
-      # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
 
     steps:
       - name: Harden Runner
@@ -56,9 +54,6 @@ jobs:
           #   - Publish results to OpenSSF REST API for easy access by consumers
           #   - Allows the repository to include the Scorecard badge.
           #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
           publish_results: true
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF

.github/workflows/tag-testpypi.yml

@@ -5,7 +5,7 @@ on:
     tags:
       - 'v*'
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:

.github/workflows/testdata-version.yml

@@ -1,4 +1,4 @@
-name: Verify Testing Data and Workflows
+name: Verify Testing Data
 
 on:
   pull_request:
@@ -9,7 +9,7 @@ on:
     paths:
       - .github/workflows/main.yml
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:

.github/workflows/upstream.yml

@@ -16,7 +16,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:

.github/workflows/workflow-warning.yml

@@ -1,6 +1,9 @@
 name: Workflow Changes Warnings
 
 on:
+  # Note: potential security risk from this action using pull_request_target.
+  # Do not add actions in here which need a checkout of the repo, and do not use any caching in here.
+  # See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
   pull_request_target:
     types:
       - opened
@@ -16,8 +19,6 @@ jobs:
   comment-concerning-workflow-changes:
     name: Comment Concerning Workflow Changes
     runs-on: ubuntu-latest
-    # Note: There is always a potential security risk from pull_request_target.
-    # Do not add actions in here which need a checkout of the repo, and do not use any caching in here.
     if: |
       (github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name)
     permissions:
@@ -62,8 +63,7 @@ jobs:
           issue-number: ${{ github.event.pull_request.number }}
           body: |
             > **Note**
-            > This Pull Request modifies GitHub Workflows and is coming from a fork.
-            Changes have been approved by a maintainer.
+            > Changes have been approved by a maintainer.
           reactions: |
             hooray
           edit-mode: append