GitHub Workflows security hardening (#2654)

evanw · Nov 15, 2022 · 5ecf746 · 5ecf746
1 parent 9dee65c
commit 5ecf746
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ['*']
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   esbuild-slow:
     # Split these out into their own runner because they're very slow

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '0 */6 * * *'
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   validate:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,8 +4,12 @@ on:
   push:
     tags: ['v*']
 
+permissions: {}
 jobs:
   release:
+    permissions:
+      contents: write  #  to create a release (actions/create-release)
+
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -5,6 +5,9 @@ on:
     tags: ['v*']
   workflow_dispatch:
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   release:
     runs-on: ubuntu-latest