build: add GitHub token permissions for workflows

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io> PR-URL: https://github.com/nodejs/node/pull/43743 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
author: Varun Sharma <varunsh@stepsecurity.io> 2022-07-13 00:50:46 +0300
committer: Danielle Adams <adamzdanielle@gmail.com> 2022-07-26 04:43:30 +0300
commit: 364deeadcd6675b30363dd3caaa7879f65f6e0c6 (patch)
tree: 7fc23a0b7b79c687f17759c793f791f33c17b8e3 /.github
parent: 1deb6b73b79090c11dcb6784e043d0c795a06225 (diff)
24 files changed, 93 insertions, 0 deletions
diff --git a/.github/workflows/authors.yml b/.github/workflows/authors.yml
index 80d6b0ab22f..e33089ea252 100644
--- a/.github/workflows/authors.yml
+++ b/.github/workflows/authors.yml
@@ -6,6 +6,9 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   authors_update:
     if: github.repository == 'nodejs/node'
diff --git a/.github/workflows/auto-start-ci.yml b/.github/workflows/auto-start-ci.yml
index ed5606a58f1..98f562fd00b 100644
--- a/.github/workflows/auto-start-ci.yml
+++ b/.github/workflows/auto-start-ci.yml
@@ -13,8 +13,13 @@ concurrency: ${{ github.workflow }}
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   get-prs-for-ci:
+    permissions:
+      pull-requests: read
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     outputs:
@@ -32,6 +37,9 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   start-ci:
+    permissions:
+      contents: read
+      pull-requests: write
     needs: get-prs-for-ci
     if: needs.get-prs-for-ci.outputs.numbers != ''
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build-tarball.yml b/.github/workflows/build-tarball.yml
index 52e3ac97c68..4509450172f 100644
--- a/.github/workflows/build-tarball.yml
+++ b/.github/workflows/build-tarball.yml
@@ -31,6 +31,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   build-tarball:
     if: github.event.pull_request.draft == false
diff --git a/.github/workflows/build-windows.yml b/.github/workflows/build-windows.yml
index c85c9976dfd..6ef65b9c64f 100644
--- a/.github/workflows/build-windows.yml
+++ b/.github/workflows/build-windows.yml
@@ -26,6 +26,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   build-windows:
     if: github.event.pull_request.draft == false
diff --git a/.github/workflows/close-stale-feature-requests.yml b/.github/workflows/close-stale-feature-requests.yml
index c815b9acbae..834c4c84c28 100644
--- a/.github/workflows/close-stale-feature-requests.yml
+++ b/.github/workflows/close-stale-feature-requests.yml
@@ -28,8 +28,14 @@ env:
     [feature request management document](https://github.com/nodejs/node/blob/HEAD/doc/contributing/feature-request-management.md).
 # yamllint enable
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/close-stalled.yml b/.github/workflows/close-stalled.yml
index 347b22bd70c..509d79056f9 100644
--- a/.github/workflows/close-stalled.yml
+++ b/.github/workflows/close-stalled.yml
@@ -9,8 +9,14 @@ env:
     is still relevant, or to ping the collaborator who labelled it stalled if
     you have any questions.
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/comment-labeled.yml b/.github/workflows/comment-labeled.yml
index 5c529000a63..5f59a48bb5a 100644
--- a/.github/workflows/comment-labeled.yml
+++ b/.github/workflows/comment-labeled.yml
@@ -11,8 +11,14 @@ env:
     If it should remain open, please leave a comment explaining why it should remain open.
   FAST_TRACK_MESSAGE: Fast-track has been requested by @${{ github.actor }}. Please 👍 to approve.
 
+permissions:
+  contents: read
+
 jobs:
   stale-comment:
+    permissions:
+      issues: write
+      pull-requests: write
     if: github.repository == 'nodejs/node' && github.event.label.name == 'stalled'
     runs-on: ubuntu-latest
     steps:
@@ -23,6 +29,8 @@ jobs:
         run: gh issue comment "$NUMBER" --repo ${{ github.repository }} --body "$STALE_MESSAGE"
 
   fast-track:
+    permissions:
+      pull-requests: write
     if: github.repository == 'nodejs/node' && github.event_name == 'pull_request_target' && github.event.label.name == 'fast-track'
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml
index 1863a79ab17..738a034aecb 100644
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@@ -5,6 +5,9 @@ on: [pull_request]
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   lint-commit-message:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/commit-queue.yml b/.github/workflows/commit-queue.yml
index d8189f85e8a..ac57fbb0e01 100644
--- a/.github/workflows/commit-queue.yml
+++ b/.github/workflows/commit-queue.yml
@@ -18,8 +18,13 @@ concurrency: ${{ github.workflow }}
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   get_mergeable_prs:
+    permissions:
+      pull-requests: read
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     outputs:
diff --git a/.github/workflows/coverage-linux.yml b/.github/workflows/coverage-linux.yml
index 5e8115a9245..abd69801f60 100644
--- a/.github/workflows/coverage-linux.yml
+++ b/.github/workflows/coverage-linux.yml
@@ -29,6 +29,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   coverage-linux:
     if: github.event.pull_request.draft == false
diff --git a/.github/workflows/coverage-windows.yml b/.github/workflows/coverage-windows.yml
index 287872d79f3..d9c5bfb58d6 100644
--- a/.github/workflows/coverage-windows.yml
+++ b/.github/workflows/coverage-windows.yml
@@ -31,6 +31,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   coverage-windows:
     if: github.event.pull_request.draft == false
diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml
index aabc566f544..f14bde4c7fb 100644
--- a/.github/workflows/daily.yml
+++ b/.github/workflows/daily.yml
@@ -8,6 +8,9 @@ on:
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   build-lto:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml
index 474a8dd7eac..72abb16ad50 100644
--- a/.github/workflows/doc.yml
+++ b/.github/workflows/doc.yml
@@ -16,6 +16,9 @@ concurrency:
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   build-docs:
     if: github.event.pull_request.draft == false
diff --git a/.github/workflows/find-inactive-collaborators.yml b/.github/workflows/find-inactive-collaborators.yml
index 7445dd8ca84..ce47c0a1dde 100644
--- a/.github/workflows/find-inactive-collaborators.yml
+++ b/.github/workflows/find-inactive-collaborators.yml
@@ -10,6 +10,9 @@ on:
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   find:
     if: github.repository == 'nodejs/node'
diff --git a/.github/workflows/find-inactive-tsc.yml b/.github/workflows/find-inactive-tsc.yml
index 389a6d1e0f5..2f6afec4227 100644
--- a/.github/workflows/find-inactive-tsc.yml
+++ b/.github/workflows/find-inactive-tsc.yml
@@ -10,6 +10,9 @@ on:
 env:
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   find:
     if: github.repository == 'nodejs/node'
diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml
index 58e9b226dab..922a9359f5e 100644
--- a/.github/workflows/label-pr.yml
+++ b/.github/workflows/label-pr.yml
@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   label:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/license-builder.yml b/.github/workflows/license-builder.yml
index 790bab9e397..3c966da1d5b 100644
--- a/.github/workflows/license-builder.yml
+++ b/.github/workflows/license-builder.yml
@@ -6,8 +6,14 @@ on:
     - cron: 0 0 * * 1
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update_license:
+    permissions:
+      contents: write  # for gr2m/create-or-update-pull-request-action to push local changes
+      pull-requests: write  # for gr2m/create-or-update-pull-request-action to create a PR
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index c9873d188a8..1b5c9e8f9ba 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -17,6 +17,9 @@ env:
   PYTHON_VERSION: '3.10'
   NODE_VERSION: lts/*
 
+permissions:
+  contents: read
+
 jobs:
   lint-addon-docs:
     if: github.event.pull_request.draft == false
diff --git a/.github/workflows/notify-force-push.yml b/.github/workflows/notify-force-push.yml
index 32876584edb..69aacc8524f 100644
--- a/.github/workflows/notify-force-push.yml
+++ b/.github/workflows/notify-force-push.yml
@@ -4,6 +4,9 @@ on:
       - main
 
 name: Notify on Force Push
+permissions:
+  contents: read
+
 jobs:
   slackNotification:
     name: Slack Notification
diff --git a/.github/workflows/test-asan.yml b/.github/workflows/test-asan.yml
index b345eded201..ba30449e90b 100644
--- a/.github/workflows/test-asan.yml
+++ b/.github/workflows/test-asan.yml
@@ -33,6 +33,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   test-asan:
     if: github.event.pull_request.draft == false
diff --git a/.github/workflows/test-internet.yml b/.github/workflows/test-internet.yml
index 75f508bfe01..297ceea987a 100644
--- a/.github/workflows/test-internet.yml
+++ b/.github/workflows/test-internet.yml
@@ -24,6 +24,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   test-internet:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test-linux.yml b/.github/workflows/test-linux.yml
index b2fa9e0a0cb..4cc09f22c25 100644
--- a/.github/workflows/test-linux.yml
+++ b/.github/workflows/test-linux.yml
@@ -26,6 +26,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   test-linux:
     if: github.event.pull_request.draft == false
diff --git a/.github/workflows/test-macos.yml b/.github/workflows/test-macos.yml
index f342dbfa0f1..5f93730d666 100644
--- a/.github/workflows/test-macos.yml
+++ b/.github/workflows/test-macos.yml
@@ -32,6 +32,9 @@ env:
   PYTHON_VERSION: '3.10'
   FLAKY_TESTS: dontcare
 
+permissions:
+  contents: read
+
 jobs:
   test-macOS:
     if: github.event.pull_request.draft == false
diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml
index 3d58558ce69..dbd664ea64a 100644
--- a/.github/workflows/tools.yml
+++ b/.github/workflows/tools.yml
@@ -6,6 +6,9 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   tools-deps-update:
     if: github.repository == 'nodejs/node'
author	Varun Sharma <varunsh@stepsecurity.io>	2022-07-13 00:50:46 +0300
committer	Danielle Adams <adamzdanielle@gmail.com>	2022-07-26 04:43:30 +0300
commit	364deeadcd6675b30363dd3caaa7879f65f6e0c6 (patch)
tree	7fc23a0b7b79c687f17759c793f791f33c17b8e3 /.github
parent	1deb6b73b79090c11dcb6784e043d0c795a06225 (diff)