diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8302d35d31..24b3c17cd2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,9 @@ on: release: { types: [published] } workflow_dispatch: +permissions: + contents: read + jobs: npmjs: runs-on: ubuntu-latest @@ -18,6 +21,8 @@ jobs: github-npm: runs-on: ubuntu-latest + permissions: + packages: write steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 diff --git a/.github/workflows/release_dockerhub.yml b/.github/workflows/release_dockerhub.yml index 84a7191d8d..7965bcd404 100644 --- a/.github/workflows/release_dockerhub.yml +++ b/.github/workflows/release_dockerhub.yml @@ -14,6 +14,8 @@ permissions: jobs: dockerhub: runs-on: ubuntu-latest + permissions: + packages: write steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 70863f49e9..0c053e41bb 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -3,6 +3,9 @@ name: Tests # Controls when the action will run. on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: changelog: runs-on: ubuntu-20.04 @@ -276,9 +279,6 @@ jobs: coverage: runs-on: ubuntu-20.04 - permissions: - pull-requests: write - issues: write steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - run: | diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index b707a6ebf5..1323c179b1 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -13,7 +13,7 @@ The format is based on [Keep a Changelog][kac] and this project adheres to ### Added -* hardened CI scripts by using hashes instead of versions for actions (#754) +* hardened CI scripts by using hashes instead of versions for actions and restricting permissions (#754, #770) * add security.md (#762) * add codespell CI checks (#720)