From 07e0e52edd52bb46a5874767ca3b4fac50caa7c2 Mon Sep 17 00:00:00 2001 From: neilnaveen <42328488+neilnaveen@users.noreply.github.com> Date: Mon, 14 Mar 2022 08:18:21 -0500 Subject: [PATCH] Fixed permission for workflow (#5279) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions Co-authored-by: Mislav Marohnić --- .github/workflows/codeql.yml | 5 +++++ .github/workflows/go.yml | 4 ++++ .github/workflows/issueauto.yml | 13 +++++++++---- .github/workflows/lint.yml | 3 +++ .github/workflows/prauto.yml | 6 ++++++ .github/workflows/releases.yml | 4 ++++ 6 files changed, 31 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 720f1210e..034253caf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,6 +10,11 @@ on: schedule: - cron: "0 0 * * 0" +permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/analyze to upload SARIF results + jobs: CodeQL-Build: runs-on: ubuntu-latest diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 0d7e68d95..4fbf3d3b9 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -1,5 +1,9 @@ name: Tests on: [push, pull_request] + +permissions: + contents: read + jobs: build: strategy: diff --git a/.github/workflows/issueauto.yml b/.github/workflows/issueauto.yml index a366d6ed8..40c4b36e7 100644 --- a/.github/workflows/issueauto.yml +++ b/.github/workflows/issueauto.yml @@ -2,16 +2,21 @@ name: Issue Automation on: issues: types: [opened] + +permissions: + contents: none + issues: write + jobs: issue-auto: runs-on: ubuntu-latest steps: - name: label incoming issue env: - GH_REPO: ${{ github.repository }} - GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }} - ISSUENUM: ${{ github.event.issue.number }} - ISSUEAUTHOR: ${{ github.event.issue.user.login }} + GH_REPO: ${{ github.repository }} + GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }} + ISSUENUM: ${{ github.event.issue.number }} + ISSUEAUTHOR: ${{ github.event.issue.user.login }} run: | if ! gh api orgs/cli/public_members/$ISSUEAUTHOR --silent 2>/dev/null then diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index ea7d4ea34..e811ef6ef 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -11,6 +11,9 @@ on: - go.mod - go.sum +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/prauto.yml b/.github/workflows/prauto.yml index 047fb52ea..2596fa76c 100644 --- a/.github/workflows/prauto.yml +++ b/.github/workflows/prauto.yml @@ -2,6 +2,12 @@ name: PR Automation on: pull_request_target: types: [ready_for_review, opened, reopened] + +permissions: + contents: none + issues: write + pull-requests: write + jobs: pr-auto: runs-on: ubuntu-latest diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index 3e7f6cf2f..5e570350a 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -5,6 +5,10 @@ on: tags: - "v*" +permissions: + contents: write # publishing releases + repository-projects: write # move cards between columns + jobs: goreleaser: runs-on: ubuntu-latest