fix: reduce token permissions (#7719)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2023-06-30 12:49:42 +02:00 · 2023-06-30 12:49:42 +02:00 · 50c5d55034
commit 50c5d55034
parent 52cb513571
6 changed files with 14 additions and 15 deletions
--- a/.github/workflows/check-actions.yaml
+++ b/.github/workflows/check-actions.yaml
@ -14,8 +14,6 @@ permissions: {}
 jobs:
  check:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
--- a/.github/workflows/cli.yaml
+++ b/.github/workflows/cli.yaml
@ -10,13 +10,12 @@ on:
      - 'main'
      - 'release*'

+permissions: {}
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
-
 jobs:
  cli-test:
    runs-on: ubuntu-latest
--- a/.github/workflows/codecov.yaml
+++ b/.github/workflows/codecov.yaml
@ -9,13 +9,12 @@ on:
      - 'main'
      - 'release*'

+permissions: {}
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
-
 jobs:
  codecov:
    runs-on: ubuntu-latest
--- a/.github/workflows/comment-commands.yaml
+++ b/.github/workflows/comment-commands.yaml
@ -6,13 +6,14 @@ on:
      - created
      - edited

-permissions:
-  issues: write
-  pull-requests: write
+permissions: {}

 jobs:
  execute:
    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
    steps:
      - uses: jpmcb/prow-github-actions@f4d01dd4b13f289014c23fe5a19878a2479cb35b # v1.1.3
        with:
--- a/.github/workflows/fossa.yml
+++ b/.github/workflows/fossa.yml
@ -5,8 +5,7 @@ on:
    branches: 
      - main

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@ -15,6 +14,8 @@ concurrency:
 jobs:
  fossa-scan:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
--- a/.github/workflows/images-build.yaml
+++ b/.github/workflows/images-build.yaml
@ -9,12 +9,13 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: 
-  contents: read
+permissions: {}

 jobs:
  build-images:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3