From 4cb6984a6591b63d3870e3a7e8b7351794f0166e Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 29 Sep 2022 18:41:33 +0300 Subject: [PATCH] GitHub Workflows security hardening (#10456) * build: harden lock.yml permissions Signed-off-by: Alex * build: harden stale.yml permissions Signed-off-by: Alex * build: harden ci.yml permissions Signed-off-by: Alex Signed-off-by: Alex --- .github/workflows/ci.yml | 2 ++ .github/workflows/lock.yml | 5 +++++ .github/workflows/stale.yml | 5 +++++ 3 files changed, 12 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 67f5028cd..9431863b7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,7 @@ name: CI on: [push, pull_request] +permissions: + contents: read # to fetch code (actions/checkout) jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 9df4bc441..b928fc128 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -5,8 +5,13 @@ on: schedule: - cron: '0 3 * * *' +permissions: {} jobs: lock: + permissions: + issues: write # to lock issues (dessant/lock-threads) + pull-requests: write # to lock PRs (dessant/lock-threads) + runs-on: ubuntu-latest steps: - uses: dessant/lock-threads@v3 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 57666417a..1df1c7044 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,8 +4,13 @@ on: schedule: - cron: '0 4 * * *' +permissions: {} jobs: stale: + permissions: + issues: write # to close stale issues (actions/stale) + pull-requests: write # to close stale PRs (actions/stale) + runs-on: ubuntu-latest steps: - uses: actions/stale@v5