diff options
author | neilnaveen <42328488+neilnaveen@users.noreply.github.com> | 2022-06-15 04:10:37 +0300 |
---|---|---|
committer | neilnaveen <42328488+neilnaveen@users.noreply.github.com> | 2022-06-15 04:10:37 +0300 |
commit | eefbee82a51c1cd579732b52532c619c80d7fff9 (patch) | |
tree | 4952a8929e8022f99664d893b2064170181b75a2 | |
parent | a185605c7d9f74ad7ccb03881cecc7b9248a055e (diff) |
chore: Set permissions for GitHub actions
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
-rw-r--r-- | .github/workflows/lint.yml | 3 | ||||
-rw-r--r-- | .github/workflows/package.yml | 3 | ||||
-rw-r--r-- | .github/workflows/static-analysis.yml | 3 | ||||
-rw-r--r-- | .github/workflows/test.yml | 3 |
4 files changed, 12 insertions, 0 deletions
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 509fb3bc7..3a22e1f3a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,6 +1,9 @@ name: Lint on: pull_request +permissions: + contents: read + jobs: xml-linters: runs-on: ubuntu-latest diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index e3ff20ef9..fea0e8dd5 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -7,6 +7,9 @@ on: - main - stable* +permissions: + contents: read + jobs: release-tarball: runs-on: ubuntu-latest diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index cf52dda2c..eb9d50632 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -7,6 +7,9 @@ on: - main - stable* +permissions: + contents: read + jobs: static-psalm-analysis: runs-on: ubuntu-latest diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e29d1e378..9e7ea8a31 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,6 +7,9 @@ on: - main - stable* +permissions: + contents: read + jobs: unit-tests: runs-on: ubuntu-latest |