From 23fc5e099f7bb8b8f979e3928cb1078b9c939daa Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Mon, 3 Oct 2022 07:53:12 -0700 Subject: [PATCH] ci: add minimum GitHub token permissions for workflows (#1792) Signed-off-by: Varun Sharma --- .github/workflows/labeler.yml | 6 ++++++ .github/workflows/size-labeler.yml | 5 +++++ .github/workflows/stale.yml | 6 ++++++ .github/workflows/test.yml | 6 ++++++ 4 files changed, 23 insertions(+) diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index e8b96514..17f451fd 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,8 +2,14 @@ name: "Pull Request Labeler" on: - pull_request_target +permissions: + contents: read + jobs: triage: + permissions: + contents: read # for actions/labeler to determine modified files + pull-requests: write # for actions/labeler to add labels to PRs runs-on: ubuntu-latest steps: - uses: actions/labeler@v4 diff --git a/.github/workflows/size-labeler.yml b/.github/workflows/size-labeler.yml index f04024fa..4c54d827 100644 --- a/.github/workflows/size-labeler.yml +++ b/.github/workflows/size-labeler.yml @@ -4,8 +4,13 @@ name: size-labeler on: [pull_request_target] +permissions: + contents: read + jobs: size-labeler: + permissions: + pull-requests: write # for codelytv/pr-size-labeler to add labels & comment on PRs runs-on: ubuntu-latest name: Label the PR size steps: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index a558792b..2db5123d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,9 +4,15 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest steps: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7865add6..a55d39fe 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -8,6 +8,9 @@ on: env: GO111MODULE: on +permissions: + contents: read + jobs: @@ -30,6 +33,9 @@ jobs: golangci-lint: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests runs-on: ubuntu-latest steps: