Fixed permission for workflow (#5279)

https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions Co-authored-by: Mislav Marohnić <mislav@github.com>
2022-03-14 08:18:21 -05:00 · 2022-03-14 08:18:21 -05:00 · 07e0e52edd
commit 07e0e52edd
parent ca98aec535
6 changed files with 31 additions and 4 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -10,6 +10,11 @@ on:
  schedule:
    - cron: "0 0 * * 0"

+permissions:
+  actions: read  # for github/codeql-action/init to get workflow details
+  contents: read  # for actions/checkout to fetch code
+  security-events: write  # for github/codeql-action/analyze to upload SARIF results
+
 jobs:
  CodeQL-Build:
    runs-on: ubuntu-latest
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@ -1,5 +1,9 @@
 name: Tests
 on: [push, pull_request]
+
+permissions:
+  contents: read
+
 jobs:
  build:
    strategy:
--- a/.github/workflows/issueauto.yml
+++ b/.github/workflows/issueauto.yml
@ -2,16 +2,21 @@ name: Issue Automation
 on:
  issues:
    types: [opened]
+
+permissions:
+  contents: none
+  issues: write
+
 jobs:
  issue-auto:
    runs-on: ubuntu-latest
    steps:
      - name: label incoming issue
        env:
-         GH_REPO: ${{ github.repository }}
-         GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }}
-         ISSUENUM: ${{ github.event.issue.number }}
-         ISSUEAUTHOR: ${{ github.event.issue.user.login }}
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }}
+          ISSUENUM: ${{ github.event.issue.number }}
+          ISSUEAUTHOR: ${{ github.event.issue.user.login }}
        run: |
          if ! gh api orgs/cli/public_members/$ISSUEAUTHOR --silent 2>/dev/null
          then
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -11,6 +11,9 @@ on:
      - go.mod
      - go.sum

+permissions:
+  contents: read
+
 jobs:
  lint:
    runs-on: ubuntu-latest
--- a/.github/workflows/prauto.yml
+++ b/.github/workflows/prauto.yml
@ -2,6 +2,12 @@ name: PR Automation
 on:
  pull_request_target:
    types: [ready_for_review, opened, reopened]
+
+permissions:
+  contents: none
+  issues: write
+  pull-requests: write
+
 jobs:
  pr-auto:
    runs-on: ubuntu-latest
--- a/.github/workflows/releases.yml
+++ b/.github/workflows/releases.yml
@ -5,6 +5,10 @@ on:
    tags:
      - "v*"

+permissions:
+  contents: write  # publishing releases
+  repository-projects: write  # move cards between columns
+
 jobs:
  goreleaser:
    runs-on: ubuntu-latest