Set permissions to GITHUB_TOKEN (#2848)

* [StepSecurity] ci: Harden GitHub Actions Signed-off-by: Joyce Brum <joycebrum@google.com> * set release.yml permissions Signed-off-by: Joyce <joycebrum@google.com> * set backport.yml permissions Signed-off-by: Joyce <joycebrum@google.com> --------- Signed-off-by: Joyce Brum <joycebrum@google.com> Signed-off-by: Joyce <joycebrum@google.com>
tensorflow · Sep 12, 2023 · 664ac01 · 664ac01
1 parent 5dd5f65
commit 664ac01
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 0 deletions.
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -5,10 +5,14 @@ on:
       - closed
       - labeled
 
+permissions: {}
+
 jobs:
   backport:
     runs-on: ubuntu-20.04
     name: Backport
+    permissions: 
+      contents: write
     steps:
       - name: Backport Bot
         if: github.event.pull_request.merged && ( ( github.event.action == 'closed' && contains( join( github.event.pull_request.labels.*.name ), 'backport') ) || contains( github.event.label.name, 'backport' ) )

diff --git a/.github/workflows/ci_test.yml b/.github/workflows/ci_test.yml
@@ -10,6 +10,9 @@ on:
       - master
       - r*
 
+permissions:
+  contents: read
+
 jobs:
   flake8-test:
     name: Flake8

diff --git a/.github/workflows/notify_codeowners.yml b/.github/workflows/notify_codeowners.yml
@@ -5,6 +5,9 @@ on:
     types: [opened]
 
 
+permissions:
+  contents: read
+
 jobs:
   notify-codeowners:
     name: Notify codeowners

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -6,8 +6,14 @@ on:
       - master
       - r*
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
+    permissions:
+      contents: write  # for release-drafter/release-drafter to create a github release
+      pull-requests: write  # for release-drafter/release-drafter to add label to PR
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/release-drafter@74e7c423dafbb406c9c18b1638334f67a7c891c3 # Version 5.7.0

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,6 +14,9 @@ on:
       - master
       - r*
 
+permissions:
+  contents: read
+
 env:
   MIN_PY_VERSION: '3.9'
   MAX_PY_VERSION: '3.11'

diff --git a/.github/workflows/validate_codeowners.yml b/.github/workflows/validate_codeowners.yml
@@ -15,6 +15,9 @@ on:
 # Otherwise, it's useless, it just check the codeowners file from the latest commit in master
 
 
+permissions:
+  contents: read
+
 jobs:
   validate-codeowners:
     name: Check that the CODEOWNERS is valid