From cf71eb70a5d8235991eb79bfbdb0d3d69fa65e61 Mon Sep 17 00:00:00 2001 From: "Sean T. Allen" Date: Sun, 19 Jan 2025 01:10:33 +0000 Subject: [PATCH] Limit some workflow permissions Limiting our permissions to the base minimum needed for the given workflow. This PR gets workflows that run when a PR is opened. --- .github/workflows/add-discuss-during-sync.yml | 3 +++ .github/workflows/changelog-bot.yml | 4 ++++ .github/workflows/lint-action-workflows.yml | 3 +++ .github/workflows/pr.yml | 3 +++ .github/workflows/release-notes.yml | 5 +++++ 5 files changed, 18 insertions(+) diff --git a/.github/workflows/add-discuss-during-sync.yml b/.github/workflows/add-discuss-during-sync.yml index 46d3f134a4..f04f2e1c32 100644 --- a/.github/workflows/add-discuss-during-sync.yml +++ b/.github/workflows/add-discuss-during-sync.yml @@ -18,6 +18,9 @@ on: types: - submitted +permissions: + pull-requests: write + jobs: add-label: runs-on: ubuntu-latest diff --git a/.github/workflows/changelog-bot.yml b/.github/workflows/changelog-bot.yml index aede2f3982..43887fc2d2 100644 --- a/.github/workflows/changelog-bot.yml +++ b/.github/workflows/changelog-bot.yml @@ -9,6 +9,10 @@ on: paths-ignore: - CHANGELOG.md +permissions: + packages: read + pull-requests: write + jobs: changelog-bot: runs-on: ubuntu-latest diff --git a/.github/workflows/lint-action-workflows.yml b/.github/workflows/lint-action-workflows.yml index ed595c4492..7d9f4573ec 100644 --- a/.github/workflows/lint-action-workflows.yml +++ b/.github/workflows/lint-action-workflows.yml @@ -6,6 +6,9 @@ concurrency: group: lint-actions-${{ github.ref }} cancel-in-progress: true +permissions: + packages: read + jobs: lint: name: Lint diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 55d67979f8..0cc523ce9f 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -6,6 +6,9 @@ concurrency: group: pr-${{ github.ref }} cancel-in-progress: true +permissions: + packages: read + jobs: superlinter: name: Lint bash, docker, markdown, and yaml diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml index efe9b8b297..917e0ecf2b 100644 --- a/.github/workflows/release-notes.yml +++ b/.github/workflows/release-notes.yml @@ -10,6 +10,11 @@ on: - .release-notes/next-release.md - .release-notes/\d+.\d+.\d+.md +permissions: + packages: read + pull-requests: read + contents: write + jobs: release-notes: runs-on: ubuntu-latest