From f9590c577f914b8a359b34b343f22803e26ddade Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Mockers?= <francois.mockers@vleue.com>
Date: Mon, 4 Aug 2025 18:27:15 +0200
Subject: [PATCH 1/3] block potential code injections in actions

---
 .github/workflows/example-run-report.yml             | 4 +++-
 .github/workflows/send-screenshots-to-pixeleagle.yml | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/example-run-report.yml b/.github/workflows/example-run-report.yml
index 198dee72e4586..1382dddb7490a 100644
--- a/.github/workflows/example-run-report.yml
+++ b/.github/workflows/example-run-report.yml
@@ -59,8 +59,10 @@ jobs:
           path: screenshots
       - name: branch name
         id: branch-name
+        env:
+          BRANCH_NAME: ${{ github.event.workflow_run.head_branch }}
         run: |
-          echo "result=PR-$(cat PR)-${{ github.event.workflow_run.head_branch }}" >> $GITHUB_OUTPUT
+          echo "result=PR-$(cat PR)-$BRANCH_NAME" >> $GITHUB_OUTPUT
       - name: PR number
         id: pr-number
         run: |
diff --git a/.github/workflows/send-screenshots-to-pixeleagle.yml b/.github/workflows/send-screenshots-to-pixeleagle.yml
index ee2b5e3dd1160..d774dafd77963 100644
--- a/.github/workflows/send-screenshots-to-pixeleagle.yml
+++ b/.github/workflows/send-screenshots-to-pixeleagle.yml
@@ -45,9 +45,10 @@ jobs:
         if: ${{ fromJSON(env.PIXELEAGLE_TOKEN_EXISTS) }}
         env:
           project: B04F67C0-C054-4A6F-92EC-F599FEC2FD1D
+          branch: ${{ inputs.branch }}
         run: |
           # Create a new run with its associated metadata
-          metadata='{"os":"${{ inputs.os }}", "commit": "${{ inputs.commit }}", "branch": "${{ inputs.branch }}"}'
+          metadata='{"os":"${{ inputs.os }}", "commit": "${{ inputs.commit }}", "branch": "$branch"}'
           run=`curl https://pixel-eagle.com/$project/runs --json "$metadata" --oauth2-bearer ${{ secrets.PIXELEAGLE_TOKEN }} | jq '.id'`
 
           SAVEIFS=$IFS

From 806e91d2ae783b0a48a2e04b6f60c32310ec1fe3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Mockers?= <francois.mockers@vleue.com>
Date: Mon, 4 Aug 2025 19:24:10 +0200
Subject: [PATCH 2/3] set default permissions for jobs that don't specify them

---
 .github/workflows/ci.yml                             | 3 +++
 .github/workflows/dependencies.yml                   | 3 +++
 .github/workflows/example-run.yml                    | 3 +++
 .github/workflows/send-screenshots-to-pixeleagle.yml | 3 +++
 .github/workflows/update-caches.yml                  | 3 +++
 .github/workflows/validation-jobs.yml                | 3 +++
 .github/workflows/weekly.yml                         | 3 +++
 7 files changed, 21 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 68ddb854bc228..6fca335bdd670 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI
 
+permissions:
+  contents: read
+
 on:
   merge_group:
   pull_request:
diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
index ceb0f42b05444..51bbb29931fce 100644
--- a/.github/workflows/dependencies.yml
+++ b/.github/workflows/dependencies.yml
@@ -1,5 +1,8 @@
 name: Dependencies
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     paths:
diff --git a/.github/workflows/example-run.yml b/.github/workflows/example-run.yml
index d26faeee56dd9..b25468bba46df 100644
--- a/.github/workflows/example-run.yml
+++ b/.github/workflows/example-run.yml
@@ -1,5 +1,8 @@
 name: Example Run
 
+permissions:
+  contents: read
+
 on:
   merge_group:
   pull_request:
diff --git a/.github/workflows/send-screenshots-to-pixeleagle.yml b/.github/workflows/send-screenshots-to-pixeleagle.yml
index d774dafd77963..3a8ac2c1393cf 100644
--- a/.github/workflows/send-screenshots-to-pixeleagle.yml
+++ b/.github/workflows/send-screenshots-to-pixeleagle.yml
@@ -1,5 +1,8 @@
 name: Send Screenshots to Pixel Eagle
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/update-caches.yml b/.github/workflows/update-caches.yml
index c086cbc7277e7..3935030eccc0f 100644
--- a/.github/workflows/update-caches.yml
+++ b/.github/workflows/update-caches.yml
@@ -1,5 +1,8 @@
 name: Update Actions Caches
 
+permissions:
+  contents: read
+
 on:
   # Manually
   workflow_dispatch:
diff --git a/.github/workflows/validation-jobs.yml b/.github/workflows/validation-jobs.yml
index 47bd3fe054bbf..2822092d1c544 100644
--- a/.github/workflows/validation-jobs.yml
+++ b/.github/workflows/validation-jobs.yml
@@ -1,5 +1,8 @@
 name: validation jobs
 
+permissions:
+  contents: read
+
 on:
   merge_group:
   pull_request:
diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml
index b4ddffdb9dbb7..c858c84c6e175 100644
--- a/.github/workflows/weekly.yml
+++ b/.github/workflows/weekly.yml
@@ -1,5 +1,8 @@
 name: Weekly beta compile test
 
+permissions:
+  contents: read
+
 on:
   schedule:
     # New versions of rust release on Thursdays. We test on Mondays to get at least 3 days of warning before all our CI breaks again.

From d2ce01566e19f24df6aaf77e2f7ad055c38c381c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Mockers?= <francois.mockers@vleue.com>
Date: Mon, 4 Aug 2025 19:24:22 +0200
Subject: [PATCH 3/3] some formatting

---
 .github/workflows/dependencies.yml | 8 ++++----
 .github/workflows/weekly.yml       | 7 +++----
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
index 51bbb29931fce..84c6852f86eb1 100644
--- a/.github/workflows/dependencies.yml
+++ b/.github/workflows/dependencies.yml
@@ -6,12 +6,12 @@ permissions:
 on:
   pull_request:
     paths:
-      - '**/Cargo.toml'
-      - 'deny.toml'
+      - "**/Cargo.toml"
+      - "deny.toml"
   push:
     paths:
-      - '**/Cargo.toml'
-      - 'deny.toml'
+      - "**/Cargo.toml"
+      - "deny.toml"
     branches:
       - main
 
diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml
index c858c84c6e175..3a1cf2a76db30 100644
--- a/.github/workflows/weekly.yml
+++ b/.github/workflows/weekly.yml
@@ -7,7 +7,7 @@ on:
   schedule:
     # New versions of rust release on Thursdays. We test on Mondays to get at least 3 days of warning before all our CI breaks again.
     # https://forge.rust-lang.org/release/process.html#release-day-thursday
-    - cron:  '0 12 * * 1'
+    - cron: "0 12 * * 1"
   workflow_dispatch:
 
 env:
@@ -88,7 +88,7 @@ jobs:
 
   close-any-open-issues:
     runs-on: ubuntu-latest
-    needs: ['test', 'lint', 'check-compiles']
+    needs: ["test", "lint", "check-compiles"]
     permissions:
       issues: write
     steps:
@@ -109,14 +109,13 @@ jobs:
           COMMENT: |
             [Last pipeline run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) successfully completed. Closing issue.
 
-
   open-issue:
     name: Warn that weekly CI fails
     runs-on: ubuntu-latest
     needs: [test, lint, check-compiles]
     permissions:
       issues: write
-    # We disable this job on forks, because 
+    # We disable this job on forks, because
     # Use always() so the job doesn't get canceled if any other jobs fail
     if: ${{ github.repository == 'bevyengine/bevy' && always() && contains(needs.*.result, 'failure') }}
     steps: