From b1d25a96e4bb29d9429eead91bcc79c0fc6aa87c Mon Sep 17 00:00:00 2001 From: Alex Date: Tue, 27 Sep 2022 17:25:39 +0200 Subject: [PATCH] GitHub Workflows security hardening (#14388) * build: harden lint.yml permissions Signed-off-by: Alex * build: harden doc.yml permissions Signed-off-by: Alex * build: harden test.yml permissions Signed-off-by: Alex Signed-off-by: Alex --- .github/workflows/doc.yml | 3 +++ .github/workflows/lint.yml | 7 +++++++ .github/workflows/test.yml | 3 +++ 3 files changed, 13 insertions(+) diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml index c8db39e288..c980c98540 100644 --- a/.github/workflows/doc.yml +++ b/.github/workflows/doc.yml @@ -16,6 +16,9 @@ on: - 'doc/**' - 'mkdocs.yml' +permissions: + contents: read # to fetch code (actions/checkout) + jobs: publish: runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 30077972c1..ad86f23dda 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -4,8 +4,15 @@ on: pull_request: branches: [master, main] +permissions: + contents: read # to fetch code (actions/checkout) + jobs: super-linter: + permissions: + contents: read # to fetch code (actions/checkout) + checks: write # to mark the status of each individual linter run + name: Lint Code Base runs-on: ubuntu-latest diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ae750d95e4..66e348306c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,6 +18,9 @@ on: - 'doc/**' - 'mkdocs.yml' +permissions: + contents: read # to fetch code (actions/checkout) + jobs: test: runs-on: ubuntu-18.04