From f75ac6042ed042c329ab3d1c9cec46b4c4b81918 Mon Sep 17 00:00:00 2001 From: Nick Brassel Date: Fri, 23 Dec 2022 10:41:16 +1100 Subject: [PATCH] Lock down workflow permissions. (#19406) Co-authored-by: Joel Challis --- .github/workflows/api.yml | 3 +++ .github/workflows/auto_approve.yml | 2 ++ .github/workflows/auto_tag.yml | 3 +++ .github/workflows/cli.yml | 3 +++ .github/workflows/develop_update.yml | 3 +++ .github/workflows/docs.yml | 3 +++ .github/workflows/feature_branch_update.yml | 3 +++ .github/workflows/format.yml | 3 +++ .github/workflows/format_push.yml | 3 +++ .github/workflows/labeler.yml | 4 ++++ .github/workflows/lint.yml | 3 +++ .github/workflows/stale.yml | 9 +++++---- .github/workflows/unit_test.yml | 3 +++ 13 files changed, 41 insertions(+), 4 deletions(-) diff --git a/.github/workflows/api.yml b/.github/workflows/api.yml index 0cff4f6e75032792242fbbc5d0ed40a101d30b3b..2abfe696fd77307cee8dfcb0bee7a5bd782c5652 100644 --- a/.github/workflows/api.yml +++ b/.github/workflows/api.yml @@ -1,5 +1,8 @@ name: Update API Data +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/auto_approve.yml b/.github/workflows/auto_approve.yml index dea3f017ddd9d9e9ee6b57d24dd6fc97d8835622..1db1c49a9bb0fb1e3d3045a35e8bca33650eca8f 100644 --- a/.github/workflows/auto_approve.yml +++ b/.github/workflows/auto_approve.yml @@ -1,5 +1,7 @@ name: Automatic Approve +permissions: {} + on: schedule: - cron: "*/5 * * * *" diff --git a/.github/workflows/auto_tag.yml b/.github/workflows/auto_tag.yml index d6fcbe48e463d94e792e3bd96f2818350628547d..d1776c058dca0f52a85bdd25709ef65ac7ecff7e 100644 --- a/.github/workflows/auto_tag.yml +++ b/.github/workflows/auto_tag.yml @@ -1,5 +1,8 @@ name: Essential files modified +permissions: + contents: write + on: push: branches: diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml index 72f2ea293a0c726137684fb7df3d90ed9495ef48..aeca9679cbd418d80513f75dd9f4c1397c8545ba 100644 --- a/.github/workflows/cli.yml +++ b/.github/workflows/cli.yml @@ -1,5 +1,8 @@ name: CLI CI +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/develop_update.yml b/.github/workflows/develop_update.yml index 18ca84162baa3f27783ffdcb24acec8cd4ad712d..9c041c42ec8eb28d44ff6068189dd88a028e9873 100644 --- a/.github/workflows/develop_update.yml +++ b/.github/workflows/develop_update.yml @@ -1,5 +1,8 @@ name: Update develop after master merge +permissions: + contents: write + on: push: branches: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 1497739a0b524f152e3c8eb042fa5069f5dcf6b0..841573cf30ea0f2aec84a91b5ff7c00a10f6b519 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,5 +1,8 @@ name: Generate Docs +permissions: + contents: write + on: push: branches: diff --git a/.github/workflows/feature_branch_update.yml b/.github/workflows/feature_branch_update.yml index 90cd85e355ac13c8ad4015928bc05564565bc03e..bfc4c7d65e56e42f11c3086ac46c16140c43d4b2 100644 --- a/.github/workflows/feature_branch_update.yml +++ b/.github/workflows/feature_branch_update.yml @@ -1,5 +1,8 @@ name: Update feature branches after develop merge +permissions: + contents: write + on: push: branches: diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index b6ce4063fe78b76a40d72eeb8cbc1c8ea2b21e91..782530f62e476a4a89d3d1479d06960d9036d3cc 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -1,5 +1,8 @@ name: PR Lint Format +permissions: + contents: read + on: pull_request: paths: diff --git a/.github/workflows/format_push.yml b/.github/workflows/format_push.yml index 910bba9a4ef632f96f4c06d845efb079d0f407df..5469ab0faa1fae4747126e17754fc127cfbf2614 100644 --- a/.github/workflows/format_push.yml +++ b/.github/workflows/format_push.yml @@ -1,5 +1,8 @@ name: Lint Format +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 3b99a8f43e699f35fc4911cd5d9031256b4077cc..95f58ff003f188e42992897a4d9b66772c3c73da 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -1,5 +1,9 @@ name: "Pull Request Labeler" +permissions: + contents: read + pull-requests: write + on: pull_request_target: types: [opened, synchronize, reopened, ready_for_review, locked] diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 5b8a45f26b37b785abe5dd46f11f71973687c2ae..8e1dbcaea27f9322a3d5bf21a5f9ea999a8fdad3 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,5 +1,8 @@ name: PR Lint keyboards +permissions: + contents: read + on: pull_request: paths: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 297af8e19c462ff9bbab9a2824a5d2fd7fe70f06..1c5b3e119710a9c2eac8c9f62bed1f638db88be3 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,13 +1,14 @@ name: 'Close stale issues and PRs' -on: - schedule: - - cron: '30 1 * * *' - workflow_dispatch: permissions: issues: write pull-requests: write +on: + schedule: + - cron: '30 1 * * *' + workflow_dispatch: + jobs: stale: runs-on: ubuntu-latest diff --git a/.github/workflows/unit_test.yml b/.github/workflows/unit_test.yml index c8373441ff26ce4e4fac19160977fa6700e0af35..75ed84177bf0b4b496a706f22f60b2790f974e7c 100644 --- a/.github/workflows/unit_test.yml +++ b/.github/workflows/unit_test.yml @@ -1,5 +1,8 @@ name: Unit Tests +permissions: + contents: read + on: push: branches: