From 2b146801ee8d58b4a3fac1312b3514ca23cdae41 Mon Sep 17 00:00:00 2001
From: luojiyin <luojiyin@hotmail.com>
Date: Thu, 11 Sep 2025 11:45:41 +0800
Subject: [PATCH 1/6] CI: update checkout

---
 .github/workflows/sync-upstream.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/sync-upstream.yml b/.github/workflows/sync-upstream.yml
index 912635e4..052e6359 100644
--- a/.github/workflows/sync-upstream.yml
+++ b/.github/workflows/sync-upstream.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3 # Use the GitHub checkout action to checkout code
+        uses: actions/checkout@v4 # Use the GitHub checkout action to checkout code
 
       - uses: pnpm/action-setup@v3
         with:

From ffad2ede35f4c4e060246d1947dd3d2ad6c86d05 Mon Sep 17 00:00:00 2001
From: luojiyin <luojiyin@hotmail.com>
Date: Thu, 11 Sep 2025 12:03:23 +0800
Subject: [PATCH 2/6] chore: improve security by reducing READ_ACCESS_TOKEN
 exposure

  - Move READ_ACCESS_TOKEN from job-level to step-level environment variables
  - Reduces token exposure scope to only necessary steps
  - Prevents token leakage in workflow logs from other steps
  - Maintains existing functionality while enhancing security
---
 .github/workflows/sync-upstream.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/sync-upstream.yml b/.github/workflows/sync-upstream.yml
index 052e6359..aa54751b 100644
--- a/.github/workflows/sync-upstream.yml
+++ b/.github/workflows/sync-upstream.yml
@@ -19,7 +19,6 @@ jobs:
       MYSTEN_SPREEDSHEET_ID: ${{ secrets.MYSTEN_SPREEDSHEET_ID }}
       BLOCKLISTS_URL: ${{ secrets.BLOCKLISTS_URL }}
       ALLOWLISTS_URL: ${{ secrets.ALLOWLISTS_URL }}
-      READ_ACCESS_TOKEN: ${{ secrets.READ_ACCESS_TOKEN }}
       SHOULD_FETCH_SHEET: "false"
 
 
@@ -34,9 +33,13 @@ jobs:
         run: pnpm install
 
       - name: Sync blocklists
+        env:
+          READ_ACCESS_TOKEN: ${{ secrets.READ_ACCESS_TOKEN }}
         run: pnpm sync-blocklists
 
       - name: Sync allowlists
+        env:
+          READ_ACCESS_TOKEN: ${{ secrets.READ_ACCESS_TOKEN }}
         run: pnpm sync-allowlists
       
       - name: Copy blocklists to src

From 5b74ad3fed732e3c295094baf0ba14e1b833492c Mon Sep 17 00:00:00 2001
From: luojiyin <luojiyin@hotmail.com>
Date: Thu, 11 Sep 2025 12:12:41 +0800
Subject: [PATCH 3/6] CI: update pnpm/action-setup

---
 .github/workflows/sync-upstream.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/sync-upstream.yml b/.github/workflows/sync-upstream.yml
index aa54751b..0799f4f3 100644
--- a/.github/workflows/sync-upstream.yml
+++ b/.github/workflows/sync-upstream.yml
@@ -26,7 +26,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4 # Use the GitHub checkout action to checkout code
 
-      - uses: pnpm/action-setup@v3
+      - uses: pnpm/action-setup@v4
         with:
           version: 8
       - name: Install dependencies using PNPM

From 7525c2cc75f107659a2d5c627286965bd0ab961b Mon Sep 17 00:00:00 2001
From: luojiyin <luojiyin@hotmail.com>
Date: Thu, 11 Sep 2025 12:18:41 +0800
Subject: [PATCH 4/6] CI: config pnpm version

---
 .github/workflows/sync-upstream.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/sync-upstream.yml b/.github/workflows/sync-upstream.yml
index 0799f4f3..1d94979f 100644
--- a/.github/workflows/sync-upstream.yml
+++ b/.github/workflows/sync-upstream.yml
@@ -28,7 +28,7 @@ jobs:
 
       - uses: pnpm/action-setup@v4
         with:
-          version: 8
+          version: 9
       - name: Install dependencies using PNPM
         run: pnpm install
 

From be5d3b593d7ceb25ddaa8492df3b916ff55f89bc Mon Sep 17 00:00:00 2001
From: luojiyin <luojiyin@hotmail.com>
Date: Thu, 11 Sep 2025 12:24:47 +0800
Subject: [PATCH 5/6] CI: config pnpm version

---
 .github/workflows/sync-upstream.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/sync-upstream.yml b/.github/workflows/sync-upstream.yml
index 1d94979f..5dd602a2 100644
--- a/.github/workflows/sync-upstream.yml
+++ b/.github/workflows/sync-upstream.yml
@@ -28,7 +28,7 @@ jobs:
 
       - uses: pnpm/action-setup@v4
         with:
-          version: 9
+          version: 10
       - name: Install dependencies using PNPM
         run: pnpm install
 

From 3c17ef2636fd7ecef0f3d27265df8e56de64716d Mon Sep 17 00:00:00 2001
From: luojiyin <luojiyin@hotmail.com>
Date: Tue, 16 Sep 2025 18:06:35 +0800
Subject: [PATCH 6/6] CI: actions/checkout v4 to v5

---
 .github/workflows/sync-upstream.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/sync-upstream.yml b/.github/workflows/sync-upstream.yml
index 5dd602a2..f9350330 100644
--- a/.github/workflows/sync-upstream.yml
+++ b/.github/workflows/sync-upstream.yml
@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4 # Use the GitHub checkout action to checkout code
+        uses: actions/checkout@v5 # Use the GitHub checkout action to checkout code
 
       - uses: pnpm/action-setup@v4
         with: