ci: add minimum GitHub token permissions for workflows (#1792)

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
This commit is contained in:
Varun Sharma 2022-10-03 07:53:12 -07:00 committed by GitHub
parent 93d1913fb0
commit 23fc5e099f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 23 additions and 0 deletions

View file

@ -2,8 +2,14 @@ name: "Pull Request Labeler"
on: on:
- pull_request_target - pull_request_target
permissions:
contents: read
jobs: jobs:
triage: triage:
permissions:
contents: read # for actions/labeler to determine modified files
pull-requests: write # for actions/labeler to add labels to PRs
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/labeler@v4 - uses: actions/labeler@v4

View file

@ -4,8 +4,13 @@ name: size-labeler
on: [pull_request_target] on: [pull_request_target]
permissions:
contents: read
jobs: jobs:
size-labeler: size-labeler:
permissions:
pull-requests: write # for codelytv/pr-size-labeler to add labels & comment on PRs
runs-on: ubuntu-latest runs-on: ubuntu-latest
name: Label the PR size name: Label the PR size
steps: steps:

View file

@ -4,9 +4,15 @@ on:
schedule: schedule:
- cron: "0 0 * * *" - cron: "0 0 * * *"
permissions:
contents: read
jobs: jobs:
stale: stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

View file

@ -8,6 +8,9 @@ on:
env: env:
GO111MODULE: on GO111MODULE: on
permissions:
contents: read
jobs: jobs:
@ -30,6 +33,9 @@ jobs:
golangci-lint: golangci-lint:
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps: