From 4780603e98ce49be6e065c7a083419245a898bb8 Mon Sep 17 00:00:00 2001 From: Alex Date: Tue, 27 Sep 2022 10:30:51 +0200 Subject: [PATCH 1/4] build: harden close-stale.yml permissions Signed-off-by: Alex --- .github/workflows/close-stale.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml index 56056c989462..a36254db4ef9 100644 --- a/.github/workflows/close-stale.yml +++ b/.github/workflows/close-stale.yml @@ -3,6 +3,10 @@ on: schedule: - cron: '*/10 * * * *' +permissions: + issues: write # to close stale issues (actions/stale) + pull-requests: write # to close stale PRs (actions/stale) + jobs: stale: name: 'Close month old issues and PRs' From b2c9fa1e1bc3803f5c6e1867f4efac077548d816 Mon Sep 17 00:00:00 2001 From: Alex Date: Tue, 27 Sep 2022 10:31:13 +0200 Subject: [PATCH 2/4] build: harden issues.yml permissions Signed-off-by: Alex --- .github/workflows/issues.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml index 544610f04863..ec0e49344fc7 100644 --- a/.github/workflows/issues.yml +++ b/.github/workflows/issues.yml @@ -4,6 +4,9 @@ on: issues: types: [labeled] +permissions: + issues: write # to close issues (peter-evans/close-issue) + jobs: questions: name: Questions From c94bd45d0165a2f6091334972e5a52ecf05a9b62 Mon Sep 17 00:00:00 2001 From: Alex Date: Tue, 27 Sep 2022 10:31:27 +0200 Subject: [PATCH 3/4] build: harden lock.yml permissions Signed-off-by: Alex --- .github/workflows/lock.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 2c143dc3f000..216f0b83fcb0 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -4,8 +4,13 @@ on: schedule: - cron: '0 0 * * *' +permissions: {} jobs: lock: + permissions: + issues: write # to lock issues (dessant/lock-threads) + pull-requests: write # to lock PRs (dessant/lock-threads) + runs-on: ubuntu-latest steps: - uses: dessant/lock-threads@v3 From fa0a91a0c9bb9b344bf11695f77a7661e21140d2 Mon Sep 17 00:00:00 2001 From: Alex Date: Tue, 27 Sep 2022 10:34:17 +0200 Subject: [PATCH 4/4] build: harden nodejs.yml permissions Signed-off-by: Alex --- .github/workflows/nodejs.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml index e72e92e76d6f..24e7f7e2de3b 100644 --- a/.github/workflows/nodejs.yml +++ b/.github/workflows/nodejs.yml @@ -12,6 +12,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read # to fetch code (actions/checkout) + jobs: prepare-yarn-cache-ubuntu: uses: ./.github/workflows/prepare-cache.yml