Skip to content

Commit

Permalink
Set permissions to GITHUB_TOKEN (#2848)
Browse files Browse the repository at this point in the history
* [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: Joyce Brum <joycebrum@google.com>

* set release.yml permissions

Signed-off-by: Joyce <joycebrum@google.com>

* set backport.yml permissions

Signed-off-by: Joyce <joycebrum@google.com>

---------

Signed-off-by: Joyce Brum <joycebrum@google.com>
Signed-off-by: Joyce <joycebrum@google.com>
  • Loading branch information
joycebrum authored Sep 12, 2023
1 parent 5dd5f65 commit 664ac01
Show file tree
Hide file tree
Showing 6 changed files with 22 additions and 0 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/backport.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,14 @@ on:
- closed
- labeled

permissions: {}

jobs:
backport:
runs-on: ubuntu-20.04
name: Backport
permissions:
contents: write
steps:
- name: Backport Bot
if: github.event.pull_request.merged && ( ( github.event.action == 'closed' && contains( join( github.event.pull_request.labels.*.name ), 'backport') ) || contains( github.event.label.name, 'backport' ) )
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ci_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
- master
- r*

permissions:
contents: read

jobs:
flake8-test:
name: Flake8
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/notify_codeowners.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on:
types: [opened]


permissions:
contents: read

jobs:
notify-codeowners:
name: Notify codeowners
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/release-drafter.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,14 @@ on:
- master
- r*

permissions:
contents: read

jobs:
update_release_draft:
permissions:
contents: write # for release-drafter/release-drafter to create a github release
pull-requests: write # for release-drafter/release-drafter to add label to PR
runs-on: ubuntu-latest
steps:
- uses: release-drafter/release-drafter@74e7c423dafbb406c9c18b1638334f67a7c891c3 # Version 5.7.0
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ on:
- master
- r*

permissions:
contents: read

env:
MIN_PY_VERSION: '3.9'
MAX_PY_VERSION: '3.11'
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/validate_codeowners.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
# Otherwise, it's useless, it just check the codeowners file from the latest commit in master


permissions:
contents: read

jobs:
validate-codeowners:
name: Check that the CODEOWNERS is valid
Expand Down

0 comments on commit 664ac01

Please sign in to comment.