GitHub Workflows security hardening (#7728)

* build: harden Issue-Needs-Attention.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * build: harden gradle-wrapper-validation.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> Signed-off-by: Alex <aleksandrosansan@gmail.com>
realm · Sep 28, 2022 · 8ed5f3e · 8ed5f3e
1 parent 530b3f4
commit 8ed5f3e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/.github/workflows/Issue-Needs-Attention.yml b/.github/workflows/Issue-Needs-Attention.yml
@@ -4,6 +4,9 @@ on:
   issue_comment:
     types: created
 
+permissions: {}
 jobs:
   applyNeedsAttentionLabel:
+    permissions:
+      issues: write # to remove and add labels
     uses: realm/ci-actions/.github/workflows/issue-needs-attention.yml@main
diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
@@ -1,6 +1,9 @@
 name: "Validate Gradle Wrapper"
 on: [push, pull_request]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   validation:
     name: "Validation"