Merge pull request #2909 from sashashura/patch-3

GitHub Workflows security hardening
neos · Feb 13, 2023 · 63ff77e · 63ff77e
2 parents d1e7d99 + 9ae7128
commit 63ff77e
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -6,8 +6,12 @@ on:
   pull_request:
     branches: [ master, '[0-9]+.[0-9]' ]
 
+permissions: {}
 jobs:
   build:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+
     if: "!contains(github.event.head_commit.message, '[skip ci]') && !contains(github.event.head_commit.message, '[skip travis]')"
     name: "PHP ${{ matrix.php-versions }} Test ${{ matrix.static-analysis != 'no' && matrix.static-analysis || '' }} (deps: ${{ matrix.dependencies }})"
 

diff --git a/.github/workflows/experimental.yml b/.github/workflows/experimental.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron:  '0 0 * * *' # Runs every day at midnight
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   build:
     name: "Experimental PHP ${{ matrix.php-versions }} Test ${{ matrix.static-analysis != 'no' && matrix.static-analysis || '' }} (deps: ${{ matrix.dependencies }})"