From 867f13a86256848ae3e8b38ecaa52824d98a03a7 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Sun, 18 Feb 2024 01:57:51 +0700 Subject: [PATCH 1/2] security: add permissions block to workflows --- .github/workflows/addToProject.yml | 3 +++ .github/workflows/labeler.yml | 3 +++ .github/workflows/snapshot.yml | 3 +++ .github/workflows/test-reporter.yml | 4 ++++ 4 files changed, 13 insertions(+) diff --git a/.github/workflows/addToProject.yml b/.github/workflows/addToProject.yml index 7f49a3a657..e7befea26f 100644 --- a/.github/workflows/addToProject.yml +++ b/.github/workflows/addToProject.yml @@ -3,6 +3,9 @@ on: issues: types: - opened, milestoned +permissions: + contents: read + jobs: add_to_project: if: github.event.issue && github.event.issue.milestone diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 12b980856d..4394ea736e 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -7,6 +7,9 @@ on: env: MY_GITHUB_TOKEN: ${{ secrets.APM_TECH_USER_TOKEN }} +permissions: + contents: read + jobs: triage: runs-on: ubuntu-latest diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml index 355e919c84..86d6353476 100644 --- a/.github/workflows/snapshot.yml +++ b/.github/workflows/snapshot.yml @@ -12,6 +12,9 @@ on: default: false type: boolean +permissions: + contents: read + jobs: deploy: name: Deploy diff --git a/.github/workflows/test-reporter.yml b/.github/workflows/test-reporter.yml index 3c87b9f8df..8da854aec4 100644 --- a/.github/workflows/test-reporter.yml +++ b/.github/workflows/test-reporter.yml @@ -8,6 +8,10 @@ on: types: - completed +permissions: + contents: read + actions: read + jobs: report: runs-on: ubuntu-latest From 6a0d7bb43e49c23de49fbbe884180bdeb536925f Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Mon, 11 Mar 2024 15:59:24 +0100 Subject: [PATCH 2/2] Add permissions --- .github/workflows/labeler.yml | 2 ++ .github/workflows/test-reporter.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 4394ea736e..a98c37e42b 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -9,6 +9,8 @@ env: permissions: contents: read + issues: write + pull-requests: write jobs: triage: diff --git a/.github/workflows/test-reporter.yml b/.github/workflows/test-reporter.yml index 8da854aec4..6bdda8e44f 100644 --- a/.github/workflows/test-reporter.yml +++ b/.github/workflows/test-reporter.yml @@ -11,6 +11,7 @@ on: permissions: contents: read actions: read + checks: write jobs: report: