diff options
author | Stefan Giehl <stefan@matomo.org> | 2021-08-04 10:44:00 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-08-04 10:44:00 +0300 |
commit | 4961914bebe1100eaabcf39a19b88006341bb086 (patch) | |
tree | b917e95f7a4af769f646264a351c84f45ccd4556 /.github | |
parent | 9b1ca4d0fbc5d9fe4be6c9aea505875d86061dd1 (diff) |
Set proper permissions for github actions (#17809)
* set proper permissions for github actions
* restrict some jobs that don't need any permission
* use the commit hashes of the versions for external actions
* Only allow read access for checkout action
Diffstat (limited to '.github')
-rw-r--r-- | .github/workflows/buildtrackerjs.yml | 16 | ||||
-rw-r--r-- | .github/workflows/follow-up-reviews.yml | 12 | ||||
-rw-r--r-- | .github/workflows/inactive-prs-closing-message.yaml | 12 | ||||
-rw-r--r-- | .github/workflows/inactive-prs.yaml | 12 | ||||
-rw-r--r-- | .github/workflows/phpcs.yml | 14 | ||||
-rw-r--r-- | .github/workflows/submodules.yml | 14 | ||||
-rw-r--r-- | .github/workflows/translations.yml | 18 |
7 files changed, 96 insertions, 2 deletions
diff --git a/.github/workflows/buildtrackerjs.yml b/.github/workflows/buildtrackerjs.yml index a297c4e4e5..e240331759 100644 --- a/.github/workflows/buildtrackerjs.yml +++ b/.github/workflows/buildtrackerjs.yml @@ -4,6 +4,18 @@ on: issue_comment: types: [created] +permissions: + actions: read + checks: none + contents: write + deployments: none + issues: read + packages: none + pull-requests: write + repository-projects: none + security-events: none + statuses: none + jobs: build: runs-on: ubuntu-latest @@ -38,10 +50,14 @@ jobs: echo ::set-output name=branch::$REF if: github.event.comment.body == 'build js' - uses: actions/setup-java@v1 + permissions: + contents: none with: java-version: 9 if: steps.vars.outputs.branch != '' - uses: actions/checkout@v2 + permissions: + contents: read with: ref: ${{ steps.vars.outputs.branch }} lfs: false diff --git a/.github/workflows/follow-up-reviews.yml b/.github/workflows/follow-up-reviews.yml index a389f627e1..55f1699820 100644 --- a/.github/workflows/follow-up-reviews.yml +++ b/.github/workflows/follow-up-reviews.yml @@ -3,6 +3,18 @@ on: schedule: - cron: '30 1 * * *' +permissions: + actions: read + checks: none + contents: read + deployments: none + issues: write + packages: none + pull-requests: write + repository-projects: none + security-events: none + statuses: none + jobs: stale: runs-on: ubuntu-latest diff --git a/.github/workflows/inactive-prs-closing-message.yaml b/.github/workflows/inactive-prs-closing-message.yaml index 9f6fe7c8e4..ea76cb6fb9 100644 --- a/.github/workflows/inactive-prs-closing-message.yaml +++ b/.github/workflows/inactive-prs-closing-message.yaml @@ -3,6 +3,18 @@ on: schedule: - cron: '30 1 * * *' +permissions: + actions: read + checks: none + contents: read + deployments: none + issues: write + packages: none + pull-requests: write + repository-projects: none + security-events: none + statuses: none + jobs: stale: runs-on: ubuntu-latest diff --git a/.github/workflows/inactive-prs.yaml b/.github/workflows/inactive-prs.yaml index 747291a163..00b021d22a 100644 --- a/.github/workflows/inactive-prs.yaml +++ b/.github/workflows/inactive-prs.yaml @@ -3,6 +3,18 @@ on: schedule: - cron: '30 1 * * *' +permissions: + actions: read + checks: none + contents: read + deployments: none + issues: write + packages: none + pull-requests: write + repository-projects: none + security-events: none + statuses: none + jobs: stale: runs-on: ubuntu-latest diff --git a/.github/workflows/phpcs.yml b/.github/workflows/phpcs.yml index 169942b071..126a30eff9 100644 --- a/.github/workflows/phpcs.yml +++ b/.github/workflows/phpcs.yml @@ -2,6 +2,18 @@ name: PHPCS check on: pull_request +permissions: + actions: read + checks: read + contents: read + deployments: none + issues: read + packages: none + pull-requests: read + repository-projects: none + security-events: none + statuses: read + jobs: phpcs: name: PHPCS @@ -11,7 +23,7 @@ jobs: - name: Install dependencies run: composer install --dev --prefer-dist --no-progress --no-suggest - name: PHPCS check - uses: chekalsky/phpcs-action@v1 + uses: chekalsky/phpcs-action@e269c2f264f400adcda7c6b24c8550302350d495 with: phpcs_bin_path: './vendor/bin/phpcs' enable_warnings: true
\ No newline at end of file diff --git a/.github/workflows/submodules.yml b/.github/workflows/submodules.yml index 47cfa12726..b4daa3b7e3 100644 --- a/.github/workflows/submodules.yml +++ b/.github/workflows/submodules.yml @@ -5,6 +5,18 @@ on: schedule: - cron: "0 2 * * 5" +permissions: + actions: read + checks: none + contents: write + deployments: none + issues: read + packages: none + pull-requests: write + repository-projects: none + security-events: none + statuses: none + jobs: build: @@ -12,6 +24,8 @@ jobs: steps: - uses: actions/checkout@v2 + permissions: + contents: read with: ref: '4.x-dev' lfs: false diff --git a/.github/workflows/translations.yml b/.github/workflows/translations.yml index 7e03f5de73..d2d2edd5bb 100644 --- a/.github/workflows/translations.yml +++ b/.github/workflows/translations.yml @@ -5,6 +5,18 @@ on: schedule: - cron: "0 2 * * 6" +permissions: + actions: read + checks: none + contents: write + deployments: none + issues: read + packages: none + pull-requests: write + repository-projects: none + security-events: none + statuses: none + jobs: build: @@ -22,10 +34,14 @@ jobs: steps: - - uses: shivammathur/setup-php@v2 + - uses: shivammathur/setup-php@36cb9fb0fccf887130d6c5a3d40a3b3479310026 + permissions: + contents: none with: php-version: '7.3' - uses: actions/checkout@v2 + permissions: + contents: read with: ref: '4.x-dev' lfs: false |