From 0831f9f24442295a8593c30c22a0c443a27f5f3e Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Sun, 18 Feb 2024 02:11:00 +0700 Subject: [PATCH 1/2] security: add permissions block to workflows --- .github/workflows/addToProject.yml | 3 +++ .github/workflows/labeler.yml | 3 +++ .github/workflows/snapshot.yml | 3 +++ .github/workflows/test-reporter.yml | 4 ++++ 4 files changed, 13 insertions(+) diff --git a/.github/workflows/addToProject.yml b/.github/workflows/addToProject.yml index cee67c2f..6b5becda 100644 --- a/.github/workflows/addToProject.yml +++ b/.github/workflows/addToProject.yml @@ -7,6 +7,9 @@ on: env: MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }} +permissions: + contents: read + jobs: assign_one_project: runs-on: ubuntu-latest diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index e105cc50..60b320e5 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -7,6 +7,9 @@ on: env: MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }} +permissions: + contents: read + jobs: triage: runs-on: ubuntu-latest diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml index 26eaa792..96edbbad 100644 --- a/.github/workflows/snapshot.yml +++ b/.github/workflows/snapshot.yml @@ -12,6 +12,9 @@ on: default: false type: boolean +permissions: + contents: read + jobs: deploy: name: Deploy diff --git a/.github/workflows/test-reporter.yml b/.github/workflows/test-reporter.yml index 39b10a07..075682ae 100644 --- a/.github/workflows/test-reporter.yml +++ b/.github/workflows/test-reporter.yml @@ -8,6 +8,10 @@ on: types: - completed +permissions: + contents: read + actions: read + jobs: report: runs-on: ubuntu-latest From a13c71f55d51b313e1258fd78a04264b4e4cd54b Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Tue, 12 Mar 2024 12:56:00 +0100 Subject: [PATCH 2/2] Add permissions --- .github/workflows/labeler.yml | 2 ++ .github/workflows/test-reporter.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 60b320e5..196d5329 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -9,6 +9,8 @@ env: permissions: contents: read + issues: write + pull-requests: write jobs: triage: diff --git a/.github/workflows/test-reporter.yml b/.github/workflows/test-reporter.yml index 075682ae..e7ce6e21 100644 --- a/.github/workflows/test-reporter.yml +++ b/.github/workflows/test-reporter.yml @@ -11,6 +11,7 @@ on: permissions: contents: read actions: read + checks: write jobs: report: