From a4ce73b57548160777ac04d9f4052b80e6d55934 Mon Sep 17 00:00:00 2001 From: Jack Edmonds Date: Tue, 10 Sep 2024 11:43:17 -0400 Subject: [PATCH] Set specific permissions on workflows. --- .github/workflows/approved_status.yml | 4 ++++ .github/workflows/changelog.yml | 5 +++++ .github/workflows/codeql-analysis.yml | 4 ++++ .github/workflows/docs.yml | 3 +++ .github/workflows/labeler.yml | 5 +++++ .github/workflows/prepare_release.yml | 4 ++++ .github/workflows/publish.yml | 5 +++++ .github/workflows/release.yml | 4 ++++ .github/workflows/stale.yml | 6 ++++++ .github/workflows/test.yml | 3 +++ .github/workflows/test_integration.yml | 3 +++ 11 files changed, 46 insertions(+) diff --git a/.github/workflows/approved_status.yml b/.github/workflows/approved_status.yml index 1d1422c77217..11fe488dc043 100644 --- a/.github/workflows/approved_status.yml +++ b/.github/workflows/approved_status.yml @@ -1,5 +1,9 @@ name: Send PR Approval Status +permissions: + contents: read + pull-requests: write + on: pull_request: branches: diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 6dd28dcc4c94..9fa9b771b55f 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -1,4 +1,9 @@ name: "Ensure labels" + +permissions: + contents: read + pull-requests: read + on: # yamllint disable-line rule:truthy pull_request: types: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 06d27abdeaa5..10aa601c2529 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,5 +1,9 @@ name: "CodeQL" +permissions: + contents: read + checks: write + on: push: branches: [ "master" ] diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index ba1f13159943..3af973ef8964 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,5 +1,8 @@ name: docs +permissions: + contents: write + on: push: branches: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index bbbd1d357a68..fc9bdfac0cbb 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -1,4 +1,9 @@ name: "Pull Request Labeler" + +permissions: + contents: read + pull-requests: write + on: - pull_request diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml index 480c57a389fd..f38e1bc27d80 100644 --- a/.github/workflows/prepare_release.yml +++ b/.github/workflows/prepare_release.yml @@ -1,5 +1,9 @@ name: Prepare release +permissions: + contents: write + pull-requests: write + env: GIT_AUTHOR_EMAIL: "packages@datadoghq.com" GIT_AUTHOR_NAME: "ci.datadog-api-spec" diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index ee05d06d40af..012d7e026b5b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,5 +1,10 @@ name: Publish +permissions: + contents: write + attestations: write + pull-requests: write + on: release: types: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c60361f7ee8d..79fbb5abd076 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,9 @@ name: Release +permissions: + contents: write + pull-requests: write + env: GIT_AUTHOR_EMAIL: "packages@datadoghq.com" GIT_AUTHOR_NAME: "ci.datadog-api-spec" diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index fc8a1a5282b0..a4e130ab2f86 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,6 +1,12 @@ # Configuration for https://github.com/actions/stale name: "Stale issues and pull requests" + +permissions: + contents: write + issues: write + pull-requests: write + on: schedule: - cron: "0 0 * * *" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2504794b3554..69f19b825280 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,5 +1,8 @@ name: Run Tests +permissions: + contents: read + env: GIT_AUTHOR_EMAIL: "packages@datadoghq.com" GIT_AUTHOR_NAME: "ci.datadog-api-spec" diff --git a/.github/workflows/test_integration.yml b/.github/workflows/test_integration.yml index fe5f3ef2cfe1..68a34fc809f2 100644 --- a/.github/workflows/test_integration.yml +++ b/.github/workflows/test_integration.yml @@ -1,5 +1,8 @@ name: Run Integration Tests +permissions: + contents: read + on: pull_request: types: