From 50c5d550342f751d4d6144c5ecdf26289194dfc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 30 Jun 2023 12:49:42 +0200 Subject: [PATCH] fix: reduce token permissions (#7719) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- .github/workflows/check-actions.yaml | 2 -- .github/workflows/cli.yaml | 5 ++--- .github/workflows/codecov.yaml | 5 ++--- .github/workflows/comment-commands.yaml | 7 ++++--- .github/workflows/fossa.yml | 5 +++-- .github/workflows/images-build.yaml | 5 +++-- 6 files changed, 14 insertions(+), 15 deletions(-) diff --git a/.github/workflows/check-actions.yaml b/.github/workflows/check-actions.yaml index 192f657c04..5aa2f918ff 100644 --- a/.github/workflows/check-actions.yaml +++ b/.github/workflows/check-actions.yaml @@ -14,8 +14,6 @@ permissions: {} jobs: check: runs-on: ubuntu-latest - permissions: - contents: read steps: - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/cli.yaml b/.github/workflows/cli.yaml index 1765ed7178..c33199d84b 100644 --- a/.github/workflows/cli.yaml +++ b/.github/workflows/cli.yaml @@ -10,13 +10,12 @@ on: - 'main' - 'release*' +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - jobs: cli-test: runs-on: ubuntu-latest diff --git a/.github/workflows/codecov.yaml b/.github/workflows/codecov.yaml index 78448cbe9b..50096d3393 100644 --- a/.github/workflows/codecov.yaml +++ b/.github/workflows/codecov.yaml @@ -9,13 +9,12 @@ on: - 'main' - 'release*' +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - jobs: codecov: runs-on: ubuntu-latest diff --git a/.github/workflows/comment-commands.yaml b/.github/workflows/comment-commands.yaml index 791dbeb6cc..1ebc4ac640 100644 --- a/.github/workflows/comment-commands.yaml +++ b/.github/workflows/comment-commands.yaml @@ -6,13 +6,14 @@ on: - created - edited -permissions: - issues: write - pull-requests: write +permissions: {} jobs: execute: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: jpmcb/prow-github-actions@f4d01dd4b13f289014c23fe5a19878a2479cb35b # v1.1.3 with: diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index be0eb20af2..55c4020ac3 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -5,8 +5,7 @@ on: branches: - main -permissions: - contents: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,6 +14,8 @@ concurrency: jobs: fossa-scan: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/images-build.yaml b/.github/workflows/images-build.yaml index b23ec28b86..f059a4db1d 100644 --- a/.github/workflows/images-build.yaml +++ b/.github/workflows/images-build.yaml @@ -9,12 +9,13 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read +permissions: {} jobs: build-images: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3