chore(ci): set permissions granted to the GITHUB_TOKEN (#1119)

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
aquasecurity · Apr 8, 2022 · f3408a9 · f3408a9
1 parent 4ab64f9
commit f3408a9
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 7 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -30,8 +30,10 @@ env:
   KIND_VERSION: "v0.11.1"
   KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 
-# Cancel any in-flight jobs for the same PR branch so there's only one active
-# at a time.
+# Disable permissions granted to the GITHUB_TOKEN for all the available scopes.
+permissions: {}
+
+# Cancel any in-flight jobs for the same PR branch so there's only one active at a time.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true

diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
@@ -1,14 +1,18 @@
 ---
 # This is a manually triggered workflow to build and publish the MkDocs from the
-# main branch to GitHub pages at https://aquasecurity.github.io/starboard.
+# specified Git revision to GitHub pages on https://aquasecurity.github.io/starboard.
 name: Publish documentation
 
 on:
   workflow_dispatch:
     inputs:
       ref:
-        description: The branch, tag or SHA to deploy.
+        description: The branch, tag or SHA to deploy, e.g. v0.0.1
         required: true
+
+# Disable permissions granted to the GITHUB_TOKEN for all the available scopes.
+permissions: {}
+
 jobs:
   deploy:
     name: Deploy documentation

diff --git a/.github/workflows/publish-helm-chart.yaml b/.github/workflows/publish-helm-chart.yaml
@@ -7,7 +7,7 @@ on:
   workflow_dispatch:
     inputs:
       ref:
-        description: The branch, tag or SHA to publish.
+        description: The branch, tag or SHA to publish, e.g. v0.0.1
         required: true
 env:
   HELM_REP: helm-charts

diff --git a/.github/workflows/release-snapshot.yaml b/.github/workflows/release-snapshot.yaml
@@ -1,15 +1,18 @@
 ---
-# Release snapshot on CRON schedule or on demand.
+# Release snapshot on CRON schedule (every night) or on demand.
 name: Release snapshot
 
 on:
   workflow_dispatch: {}
   schedule:
-    - cron: "0 0 * * *"  # every night
+    - cron: "0 0 * * *"
 
 env:
   GO_VERSION: "1.17"
 
+# Disable permissions granted to the GITHUB_TOKEN for all the available scopes.
+permissions: {}
+
 jobs:
   release-snapshot:
     name: Release unversioned snapshot