[actions] restrict action permissions

ljharb · Jul 15, 2022 · e45d713 · e45d713
1 parent 997044d
commit e45d713
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 0 deletions.
diff --git a/.github/workflows/node-aught.yml b/.github/workflows/node-aught.yml
@@ -2,6 +2,9 @@ name: 'Tests: node.js < 10'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     uses: ljharb/actions/.github/workflows/node.yml@main

diff --git a/.github/workflows/node-pretest.yml b/.github/workflows/node-pretest.yml
@@ -2,6 +2,9 @@ name: 'Tests: pretest/posttest'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     uses: ljharb/actions/.github/workflows/pretest.yml@main
diff --git a/.github/workflows/node-tens.yml b/.github/workflows/node-tens.yml
@@ -2,6 +2,9 @@ name: 'Tests: node.js >= 10'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     uses: ljharb/actions/.github/workflows/node.yml@main

diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
@@ -2,8 +2,15 @@ name: Automatic Rebase
 
 on: [pull_request_target]
 
+permissions:
+  contents: read
+
 jobs:
   _:
+    permissions:
+      contents: write  # for ljharb/rebase to push code to rebase
+      pull-requests: read  # for ljharb/rebase to get info about PR
+
     name: "Automatic Rebase"
 
     runs-on: ubuntu-latest

diff --git a/.github/workflows/require-allow-edits.yml b/.github/workflows/require-allow-edits.yml
@@ -2,8 +2,14 @@ name: Require “Allow Edits”
 
 on: [pull_request_target]
 
+permissions:
+  contents: read
+
 jobs:
   _:
+    permissions:
+      pull-requests: read  # for ljharb/require-allow-edits to check 'allow edits' on PR
+
     name: "Require “Allow Edits”"
 
     runs-on: ubuntu-latest