diff options
author | Varun Sharma <varunsh@stepsecurity.io> | 2022-07-13 00:50:46 +0300 |
---|---|---|
committer | Danielle Adams <adamzdanielle@gmail.com> | 2022-07-26 04:43:30 +0300 |
commit | 364deeadcd6675b30363dd3caaa7879f65f6e0c6 (patch) | |
tree | 7fc23a0b7b79c687f17759c793f791f33c17b8e3 /.github | |
parent | 1deb6b73b79090c11dcb6784e043d0c795a06225 (diff) |
build: add GitHub token permissions for workflows
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
PR-URL: https://github.com/nodejs/node/pull/43743
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Diffstat (limited to '.github')
24 files changed, 93 insertions, 0 deletions
diff --git a/.github/workflows/authors.yml b/.github/workflows/authors.yml index 80d6b0ab22f..e33089ea252 100644 --- a/.github/workflows/authors.yml +++ b/.github/workflows/authors.yml @@ -6,6 +6,9 @@ on: workflow_dispatch: +permissions: + contents: read + jobs: authors_update: if: github.repository == 'nodejs/node' diff --git a/.github/workflows/auto-start-ci.yml b/.github/workflows/auto-start-ci.yml index ed5606a58f1..98f562fd00b 100644 --- a/.github/workflows/auto-start-ci.yml +++ b/.github/workflows/auto-start-ci.yml @@ -13,8 +13,13 @@ concurrency: ${{ github.workflow }} env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: get-prs-for-ci: + permissions: + pull-requests: read if: github.repository == 'nodejs/node' runs-on: ubuntu-latest outputs: @@ -32,6 +37,9 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} start-ci: + permissions: + contents: read + pull-requests: write needs: get-prs-for-ci if: needs.get-prs-for-ci.outputs.numbers != '' runs-on: ubuntu-latest diff --git a/.github/workflows/build-tarball.yml b/.github/workflows/build-tarball.yml index 52e3ac97c68..4509450172f 100644 --- a/.github/workflows/build-tarball.yml +++ b/.github/workflows/build-tarball.yml @@ -31,6 +31,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: build-tarball: if: github.event.pull_request.draft == false diff --git a/.github/workflows/build-windows.yml b/.github/workflows/build-windows.yml index c85c9976dfd..6ef65b9c64f 100644 --- a/.github/workflows/build-windows.yml +++ b/.github/workflows/build-windows.yml @@ -26,6 +26,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: build-windows: if: github.event.pull_request.draft == false diff --git a/.github/workflows/close-stale-feature-requests.yml b/.github/workflows/close-stale-feature-requests.yml index c815b9acbae..834c4c84c28 100644 --- a/.github/workflows/close-stale-feature-requests.yml +++ b/.github/workflows/close-stale-feature-requests.yml @@ -28,8 +28,14 @@ env: [feature request management document](https://github.com/nodejs/node/blob/HEAD/doc/contributing/feature-request-management.md). # yamllint enable +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs if: github.repository == 'nodejs/node' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/close-stalled.yml b/.github/workflows/close-stalled.yml index 347b22bd70c..509d79056f9 100644 --- a/.github/workflows/close-stalled.yml +++ b/.github/workflows/close-stalled.yml @@ -9,8 +9,14 @@ env: is still relevant, or to ping the collaborator who labelled it stalled if you have any questions. +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs if: github.repository == 'nodejs/node' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/comment-labeled.yml b/.github/workflows/comment-labeled.yml index 5c529000a63..5f59a48bb5a 100644 --- a/.github/workflows/comment-labeled.yml +++ b/.github/workflows/comment-labeled.yml @@ -11,8 +11,14 @@ env: If it should remain open, please leave a comment explaining why it should remain open. FAST_TRACK_MESSAGE: Fast-track has been requested by @${{ github.actor }}. Please 👍 to approve. +permissions: + contents: read + jobs: stale-comment: + permissions: + issues: write + pull-requests: write if: github.repository == 'nodejs/node' && github.event.label.name == 'stalled' runs-on: ubuntu-latest steps: @@ -23,6 +29,8 @@ jobs: run: gh issue comment "$NUMBER" --repo ${{ github.repository }} --body "$STALE_MESSAGE" fast-track: + permissions: + pull-requests: write if: github.repository == 'nodejs/node' && github.event_name == 'pull_request_target' && github.event.label.name == 'fast-track' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml index 1863a79ab17..738a034aecb 100644 --- a/.github/workflows/commit-lint.yml +++ b/.github/workflows/commit-lint.yml @@ -5,6 +5,9 @@ on: [pull_request] env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: lint-commit-message: runs-on: ubuntu-latest diff --git a/.github/workflows/commit-queue.yml b/.github/workflows/commit-queue.yml index d8189f85e8a..ac57fbb0e01 100644 --- a/.github/workflows/commit-queue.yml +++ b/.github/workflows/commit-queue.yml @@ -18,8 +18,13 @@ concurrency: ${{ github.workflow }} env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: get_mergeable_prs: + permissions: + pull-requests: read if: github.repository == 'nodejs/node' runs-on: ubuntu-latest outputs: diff --git a/.github/workflows/coverage-linux.yml b/.github/workflows/coverage-linux.yml index 5e8115a9245..abd69801f60 100644 --- a/.github/workflows/coverage-linux.yml +++ b/.github/workflows/coverage-linux.yml @@ -29,6 +29,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: coverage-linux: if: github.event.pull_request.draft == false diff --git a/.github/workflows/coverage-windows.yml b/.github/workflows/coverage-windows.yml index 287872d79f3..d9c5bfb58d6 100644 --- a/.github/workflows/coverage-windows.yml +++ b/.github/workflows/coverage-windows.yml @@ -31,6 +31,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: coverage-windows: if: github.event.pull_request.draft == false diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml index aabc566f544..f14bde4c7fb 100644 --- a/.github/workflows/daily.yml +++ b/.github/workflows/daily.yml @@ -8,6 +8,9 @@ on: env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: build-lto: runs-on: ubuntu-latest diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml index 474a8dd7eac..72abb16ad50 100644 --- a/.github/workflows/doc.yml +++ b/.github/workflows/doc.yml @@ -16,6 +16,9 @@ concurrency: env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: build-docs: if: github.event.pull_request.draft == false diff --git a/.github/workflows/find-inactive-collaborators.yml b/.github/workflows/find-inactive-collaborators.yml index 7445dd8ca84..ce47c0a1dde 100644 --- a/.github/workflows/find-inactive-collaborators.yml +++ b/.github/workflows/find-inactive-collaborators.yml @@ -10,6 +10,9 @@ on: env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: find: if: github.repository == 'nodejs/node' diff --git a/.github/workflows/find-inactive-tsc.yml b/.github/workflows/find-inactive-tsc.yml index 389a6d1e0f5..2f6afec4227 100644 --- a/.github/workflows/find-inactive-tsc.yml +++ b/.github/workflows/find-inactive-tsc.yml @@ -10,6 +10,9 @@ on: env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: find: if: github.repository == 'nodejs/node' diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml index 58e9b226dab..922a9359f5e 100644 --- a/.github/workflows/label-pr.yml +++ b/.github/workflows/label-pr.yml @@ -4,6 +4,9 @@ on: pull_request_target: types: [opened] +permissions: + contents: read + jobs: label: runs-on: ubuntu-latest diff --git a/.github/workflows/license-builder.yml b/.github/workflows/license-builder.yml index 790bab9e397..3c966da1d5b 100644 --- a/.github/workflows/license-builder.yml +++ b/.github/workflows/license-builder.yml @@ -6,8 +6,14 @@ on: - cron: 0 0 * * 1 workflow_dispatch: +permissions: + contents: read + jobs: update_license: + permissions: + contents: write # for gr2m/create-or-update-pull-request-action to push local changes + pull-requests: write # for gr2m/create-or-update-pull-request-action to create a PR if: github.repository == 'nodejs/node' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index c9873d188a8..1b5c9e8f9ba 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -17,6 +17,9 @@ env: PYTHON_VERSION: '3.10' NODE_VERSION: lts/* +permissions: + contents: read + jobs: lint-addon-docs: if: github.event.pull_request.draft == false diff --git a/.github/workflows/notify-force-push.yml b/.github/workflows/notify-force-push.yml index 32876584edb..69aacc8524f 100644 --- a/.github/workflows/notify-force-push.yml +++ b/.github/workflows/notify-force-push.yml @@ -4,6 +4,9 @@ on: - main name: Notify on Force Push +permissions: + contents: read + jobs: slackNotification: name: Slack Notification diff --git a/.github/workflows/test-asan.yml b/.github/workflows/test-asan.yml index b345eded201..ba30449e90b 100644 --- a/.github/workflows/test-asan.yml +++ b/.github/workflows/test-asan.yml @@ -33,6 +33,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: test-asan: if: github.event.pull_request.draft == false diff --git a/.github/workflows/test-internet.yml b/.github/workflows/test-internet.yml index 75f508bfe01..297ceea987a 100644 --- a/.github/workflows/test-internet.yml +++ b/.github/workflows/test-internet.yml @@ -24,6 +24,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: test-internet: runs-on: ubuntu-latest diff --git a/.github/workflows/test-linux.yml b/.github/workflows/test-linux.yml index b2fa9e0a0cb..4cc09f22c25 100644 --- a/.github/workflows/test-linux.yml +++ b/.github/workflows/test-linux.yml @@ -26,6 +26,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: test-linux: if: github.event.pull_request.draft == false diff --git a/.github/workflows/test-macos.yml b/.github/workflows/test-macos.yml index f342dbfa0f1..5f93730d666 100644 --- a/.github/workflows/test-macos.yml +++ b/.github/workflows/test-macos.yml @@ -32,6 +32,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: test-macOS: if: github.event.pull_request.draft == false diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml index 3d58558ce69..dbd664ea64a 100644 --- a/.github/workflows/tools.yml +++ b/.github/workflows/tools.yml @@ -6,6 +6,9 @@ on: workflow_dispatch: +permissions: + contents: read + jobs: tools-deps-update: if: github.repository == 'nodejs/node' |