From 54135b0724f2f3b26bce2523d6cf9969fb3d1054 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 31 Jul 2024 14:19:02 +0200 Subject: [PATCH] gha: set permissions to read-only by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Sebastiaan van Stijn (cherry picked from commit e4d99b4b60e471989ab314594a5b5f0271c8e6f5) Signed-off-by: Paweł Gronowski --- .github/workflows/build.yml | 9 +++++++++ .github/workflows/codeql.yml | 9 +++++++++ .github/workflows/e2e.yml | 9 +++++++++ .github/workflows/test.yml | 9 +++++++++ .github/workflows/validate-pr.yml | 9 +++++++++ .github/workflows/validate.yml | 9 +++++++++ 6 files changed, 54 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 88350c7e8908..916417edda8a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,14 @@ name: build +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0b6bd1802488..15e1eb70922c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,5 +1,14 @@ name: codeql +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 8a462812d53d..42a967defde4 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -1,5 +1,14 @@ name: e2e +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0a0f77e65c86..23c0d925aede 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,5 +1,14 @@ name: test +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml index ca00ec58cea7..0f449d0a03d6 100644 --- a/.github/workflows/validate-pr.yml +++ b/.github/workflows/validate-pr.yml @@ -1,5 +1,14 @@ name: validate-pr +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + on: pull_request: types: [opened, edited, labeled, unlabeled] diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 6c54955a2921..f5a32c714dae 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -1,5 +1,14 @@ name: validate +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true