From 28295e9e5f2da83413b28cd7616ed49ebe3d0dad Mon Sep 17 00:00:00 2001 From: Javier Bullrich Date: Tue, 16 Jul 2024 10:49:11 +0200 Subject: [PATCH] command-action: added scoped permissions to the github tokens (#5016) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This will ensure that malicious code can not access other parts of the project. Co-authored-by: Oliver Tale-Yazdi Co-authored-by: Bastian Köcher --- .github/workflows/command-bench-all.yml | 3 +++ .github/workflows/command-bench-overhead.yml | 3 +++ .github/workflows/command-bench.yml | 3 +++ .github/workflows/command-fmt.yml | 3 +++ .github/workflows/command-sync.yml | 3 +++ .github/workflows/command-update-ui.yml | 3 +++ 6 files changed, 18 insertions(+) diff --git a/.github/workflows/command-bench-all.yml b/.github/workflows/command-bench-all.yml index 6aa4f6f7ff003..4128f86fb7c82 100644 --- a/.github/workflows/command-bench-all.yml +++ b/.github/workflows/command-bench-all.yml @@ -66,6 +66,9 @@ jobs: runs-on: arc-runners-polkadot-sdk-weights container: image: ${{ needs.set-image.outputs.IMAGE }} + permissions: + contents: write + pull-requests: write steps: - name: Download repo uses: actions/checkout@v4 diff --git a/.github/workflows/command-bench-overhead.yml b/.github/workflows/command-bench-overhead.yml index 16cbcefcf2697..fec8d37bb9ef8 100644 --- a/.github/workflows/command-bench-overhead.yml +++ b/.github/workflows/command-bench-overhead.yml @@ -45,6 +45,9 @@ jobs: runs-on: arc-runners-polkadot-sdk-benchmark container: image: ${{ needs.set-image.outputs.IMAGE }} + permissions: + contents: write + pull-requests: write steps: - name: Download repo uses: actions/checkout@v4 diff --git a/.github/workflows/command-bench.yml b/.github/workflows/command-bench.yml index b23b06d1b3c04..ac879f443755c 100644 --- a/.github/workflows/command-bench.yml +++ b/.github/workflows/command-bench.yml @@ -91,6 +91,9 @@ jobs: runs-on: arc-runners-polkadot-sdk-benchmark container: image: ${{ needs.set-image.outputs.IMAGE }} + permissions: + contents: write + pull-requests: write steps: - name: Download repo uses: actions/checkout@v4 diff --git a/.github/workflows/command-fmt.yml b/.github/workflows/command-fmt.yml index c949d0768d7a7..586b8c77f2745 100644 --- a/.github/workflows/command-fmt.yml +++ b/.github/workflows/command-fmt.yml @@ -23,6 +23,9 @@ jobs: timeout-minutes: 20 container: image: ${{ needs.set-image.outputs.IMAGE }} + permissions: + contents: write + pull-requests: write steps: - name: Download repo uses: actions/checkout@v4 diff --git a/.github/workflows/command-sync.yml b/.github/workflows/command-sync.yml index fa5bb9eaf9125..c610f4066a873 100644 --- a/.github/workflows/command-sync.yml +++ b/.github/workflows/command-sync.yml @@ -38,6 +38,9 @@ jobs: runs-on: arc-runners-polkadot-sdk-warpsync container: image: ${{ needs.set-image.outputs.IMAGE }} + permissions: + contents: write + pull-requests: write steps: - name: Download repo uses: actions/checkout@v4 diff --git a/.github/workflows/command-update-ui.yml b/.github/workflows/command-update-ui.yml index b6b0420e78689..860177adc8790 100644 --- a/.github/workflows/command-update-ui.yml +++ b/.github/workflows/command-update-ui.yml @@ -26,6 +26,9 @@ jobs: timeout-minutes: 90 container: image: ${{ needs.set-image.outputs.IMAGE }} + permissions: + contents: write + pull-requests: write steps: - name: Download repo uses: actions/checkout@v4