From 311c85635030793979f133af4ffd0213410014b0 Mon Sep 17 00:00:00 2001
From: Cary Phillips <cary@ilm.com>
Date: Mon, 25 Mar 2024 12:14:54 -0700
Subject: [PATCH] Improve workflow files

- Per OpenSSF, permissions should be read at the top level, with
  additional permissions only for the necessary run.
- Add .github/dependabot.yml
- Fix a typo in the website_workflow's filters.
- Run the snyk-scan only on the main repo, not forks, since it
  requires secrets.

Signed-off-by: Cary Phillips <cary@ilm.com>
---
 .github/dependabot.yml                 | 19 +++++++++++++++++++
 .github/workflows/release-notice.yml   |  3 +++
 .github/workflows/snyk-scan-cron.yml   |  4 ++++
 .github/workflows/website_workflow.yml |  4 ++--
 4 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000..8ed51e2742
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,19 @@
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      day: "monday"
+      interval: "weekly"
+
+  - package-ecosystem: "gitsubmodule"
+    directory: "/"
+    schedule:
+      day: "monday"
+      interval: "weekly"
diff --git a/.github/workflows/release-notice.yml b/.github/workflows/release-notice.yml
index f7e32a9499..d59b801fc7 100644
--- a/.github/workflows/release-notice.yml
+++ b/.github/workflows/release-notice.yml
@@ -9,6 +9,9 @@ on:
       - published
       # published should cover both 'released' and 'prereleased'
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/snyk-scan-cron.yml b/.github/workflows/snyk-scan-cron.yml
index 52671c89b5..cd32f25ed1 100644
--- a/.github/workflows/snyk-scan-cron.yml
+++ b/.github/workflows/snyk-scan-cron.yml
@@ -9,9 +9,13 @@ on:
   schedule:
     - cron: "0 4 * * 0"
 
+permissions:
+  contents: read
+
 jobs:
   snyk-scan-pr:
     runs-on: ubuntu-latest
+    if: github.repository == 'AcademySoftwareFoundation/openexr'
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/website_workflow.yml b/.github/workflows/website_workflow.yml
index 48ad3a4035..e5d95a3fd4 100644
--- a/.github/workflows/website_workflow.yml
+++ b/.github/workflows/website_workflow.yml
@@ -12,14 +12,14 @@ name: Website
 on:
 
   push:
-    branches:-ignore:
+    branches-ignore:
       - RB-*
     paths:
       - 'website/**'
       - '.github/workflows/website_workflow.yml'
       
   pull_request:
-    branches:-ignore:
+    branches-ignore:
       - RB-*
     paths:
       - 'website/**'