Skip to content

Commit

Permalink
Limit top-level permissions for labeler workflow
Browse files Browse the repository at this point in the history 
By default the top-level `GITHUB_TOKEN` has all permissions[^1]. This
change removes all permissions by default, as recommended by the GitHub
Actions security hardening guide[^2].

This change is a low risk test. I plan to modify all other workflows if
this works okay.

[^1]:
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
[^2]:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#restricting-permissions-for-tokens
  • Loading branch information
@JamieMagee
JamieMagee committed May 24, 2024
1 parent 05f314a commit c74d9dd
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/labeler.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ name: Pull Request Labeler
on: # yamllint disable-line rule:truthy
- pull_request_target

permissions: {}

jobs:
triage:
permissions:
Expand Down

0 comments on commit c74d9dd

Please sign in to comment.