diff --git a/.github/workflows/canary-deploy.yml b/.github/workflows/canary-deploy.yml index a0f7d8a620b..56340fa9393 100644 --- a/.github/workflows/canary-deploy.yml +++ b/.github/workflows/canary-deploy.yml @@ -6,6 +6,9 @@ on: - master workflow_dispatch: +permissions: + contents: read + jobs: deploy: name: Canary Deploy diff --git a/.github/workflows/check-changeset.yml b/.github/workflows/check-changeset.yml index 1255ab7b79c..fcb30954705 100644 --- a/.github/workflows/check-changeset.yml +++ b/.github/workflows/check-changeset.yml @@ -6,8 +6,15 @@ env: GITHUB_PULL_REQUEST_HEAD_SHA: ${{ github.event.pull_request.head.sha }} GITHUB_PULL_REQUEST_BASE_SHA: ${{ github.event.pull_request.base.sha }} +permissions: + contents: read + jobs: check_changeset: + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for peter-evans/create-or-update-comment to create or update comment + pull-requests: write # for peter-evans/create-or-update-comment to create or update comment name: Check changeset vs changed files runs-on: ubuntu-latest diff --git a/.github/workflows/check-pkg-paths.yml b/.github/workflows/check-pkg-paths.yml index d8a41fee0f1..6504f735d87 100644 --- a/.github/workflows/check-pkg-paths.yml +++ b/.github/workflows/check-pkg-paths.yml @@ -2,6 +2,9 @@ name: Test Package Paths on: pull_request +permissions: + contents: read + jobs: test: name: Test Package Paths diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index 8344474a56f..68a69174401 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -5,6 +5,9 @@ on: repository_dispatch: types: [staging-tests] +permissions: + contents: read + jobs: test: name: Run E2E Smoke Tests diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 8c4d5cb3eb7..55a68e388d2 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -6,6 +6,9 @@ env: GITHUB_PULL_REQUEST_HEAD_SHA: ${{ github.event.pull_request.head.sha }} GITHUB_PULL_REQUEST_BASE_SHA: ${{ github.event.pull_request.base.sha }} +permissions: + contents: read + jobs: format: name: Run license and prettier formatting tasks diff --git a/.github/workflows/health-metrics-pull-request.yml b/.github/workflows/health-metrics-pull-request.yml index a904a158825..a1a6db483c5 100644 --- a/.github/workflows/health-metrics-pull-request.yml +++ b/.github/workflows/health-metrics-pull-request.yml @@ -17,6 +17,9 @@ env: GITHUB_PULL_REQUEST_BASE_SHA: ${{ github.event.pull_request.base.sha }} NODE_OPTIONS: "--max-old-space-size=4096" +permissions: + contents: read + jobs: binary-size: name: Binary Size diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 94ab40ad7b3..0039e64cd75 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,6 +2,9 @@ name: Lint All Packages on: pull_request +permissions: + contents: read + jobs: test: name: Lint diff --git a/.github/workflows/prerelease-manual-deploy.yml b/.github/workflows/prerelease-manual-deploy.yml index 996573b73ff..49c6a8245b6 100644 --- a/.github/workflows/prerelease-manual-deploy.yml +++ b/.github/workflows/prerelease-manual-deploy.yml @@ -9,6 +9,9 @@ on: npmTag: description: 'The npm tag to publish to, as in npm install firebase@' required: true +permissions: + contents: read + jobs: deploy: name: Prerelease Deploy diff --git a/.github/workflows/release-log.yml b/.github/workflows/release-log.yml index d98706a2f00..acb606837be 100644 --- a/.github/workflows/release-log.yml +++ b/.github/workflows/release-log.yml @@ -6,6 +6,9 @@ on: - release - '*-releasebranch' +permissions: + contents: read + jobs: release: name: Send PR number to tracker endpoint diff --git a/.github/workflows/test-all.yml b/.github/workflows/test-all.yml index 7a2c46d6e61..48c1808daae 100644 --- a/.github/workflows/test-all.yml +++ b/.github/workflows/test-all.yml @@ -8,8 +8,14 @@ env: # make chromedriver detect installed Chrome version and download the corresponding driver DETECT_CHROMEDRIVER_VERSION: true +permissions: + contents: read + jobs: test: + permissions: + checks: write # for coverallsapp/github-action to create new checks + contents: read # for actions/checkout to fetch code name: Node.js and Browser (Chrome) Tests runs-on: ubuntu-latest diff --git a/.github/workflows/test-changed-auth.yml b/.github/workflows/test-changed-auth.yml index c2a9a623c0f..90e81cb5c02 100644 --- a/.github/workflows/test-changed-auth.yml +++ b/.github/workflows/test-changed-auth.yml @@ -6,6 +6,9 @@ env: # make chromedriver detect installed Chrome version and download the corresponding driver DETECT_CHROMEDRIVER_VERSION: true +permissions: + contents: read + jobs: test: name: Test Auth If Changed diff --git a/.github/workflows/test-changed-fcm-integration.yml b/.github/workflows/test-changed-fcm-integration.yml index 5dbb3209dac..eaa995b1463 100644 --- a/.github/workflows/test-changed-fcm-integration.yml +++ b/.github/workflows/test-changed-fcm-integration.yml @@ -6,6 +6,9 @@ env: # make chromedriver detect installed Chrome version and download the corresponding driver DETECT_CHROMEDRIVER_VERSION: true +permissions: + contents: read + jobs: test: name: Test FCM integration If Changed diff --git a/.github/workflows/test-changed-firestore-integration.yml b/.github/workflows/test-changed-firestore-integration.yml index da0c3ac0ad7..af661875afe 100644 --- a/.github/workflows/test-changed-firestore-integration.yml +++ b/.github/workflows/test-changed-firestore-integration.yml @@ -2,6 +2,9 @@ name: Test Firestore Integration on: pull_request +permissions: + contents: read + jobs: test: name: Test Firestore Integration If Changed diff --git a/.github/workflows/test-changed-firestore.yml b/.github/workflows/test-changed-firestore.yml index fc56beb4ba0..937c709c692 100644 --- a/.github/workflows/test-changed-firestore.yml +++ b/.github/workflows/test-changed-firestore.yml @@ -2,6 +2,9 @@ name: Test Firestore on: pull_request +permissions: + contents: read + jobs: test: name: Test Firestore If Changed diff --git a/.github/workflows/test-changed-misc.yml b/.github/workflows/test-changed-misc.yml index aa45e2611ae..241615aefc2 100644 --- a/.github/workflows/test-changed-misc.yml +++ b/.github/workflows/test-changed-misc.yml @@ -2,6 +2,9 @@ name: Test @firebase/rules-unit-testing on: pull_request +permissions: + contents: read + jobs: test: name: Test Misc Packages If Changed diff --git a/.github/workflows/test-changed.yml b/.github/workflows/test-changed.yml index 6f86e38e7ed..66c82685dab 100644 --- a/.github/workflows/test-changed.yml +++ b/.github/workflows/test-changed.yml @@ -2,6 +2,9 @@ name: Test Modified Packages on: pull_request +permissions: + contents: read + jobs: test: name: Test Packages With Changed Files diff --git a/.github/workflows/test-firebase-integration.yml b/.github/workflows/test-firebase-integration.yml index 8b7be4057e0..93006008c70 100644 --- a/.github/workflows/test-firebase-integration.yml +++ b/.github/workflows/test-firebase-integration.yml @@ -2,6 +2,9 @@ name: Test Firebase Namespace on: pull_request +permissions: + contents: read + jobs: test: name: Test Firebase Namespace