From a427eb543b957c27a4073a3c49fa93e31f27e463 Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Tue, 7 Jan 2025 22:01:03 +0100 Subject: [PATCH 1/2] CI: Set workflow permissions Adviced by the GH CodeQL scanner (cherry picked from commit ce3b4ad810338ab5868bfddeff85d4231eab3952) # Conflicts: # .github/workflows/build_test.yml --- .github/workflows/backport.yml | 3 +++ .github/workflows/brakeman-analysis.yml | 3 +++ .github/workflows/build_test.yml | 10 ++++++++++ .github/workflows/lint.yml | 3 +++ .github/workflows/stale.yml | 5 ++++- 5 files changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 569a54339c..01e5416179 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -6,6 +6,9 @@ on: - closed - labeled +permissions: + pull-requests: write + jobs: backport: name: Backport diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml index c0fda50dd0..8295c090df 100644 --- a/.github/workflows/brakeman-analysis.yml +++ b/.github/workflows/brakeman-analysis.yml @@ -7,6 +7,9 @@ concurrency: group: brakeman-${{ github.ref_name }} cancel-in-progress: ${{ github.ref_name != 'main' }} +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml index f6df52c20f..31b6e05c60 100644 --- a/.github/workflows/build_test.yml +++ b/.github/workflows/build_test.yml @@ -12,6 +12,8 @@ on: jobs: check_yarn_lock: + permissions: + contents: read runs-on: ubuntu-22.04 name: Check yarn.lock steps: @@ -27,6 +29,8 @@ jobs: yarn_lock_changed: ${{ steps.changed-yarn-lock.outputs.any_changed }} build_javascript: + permissions: + contents: read runs-on: ubuntu-22.04 name: Build JS packages needs: check_yarn_lock @@ -54,6 +58,8 @@ jobs: path: vendor/javascript RSpec: + permissions: + contents: read needs: [check_yarn_lock, build_javascript] if: ${{ success('check_yarn_lock') && !failure('build_javascript') }} runs-on: ubuntu-22.04 @@ -162,6 +168,8 @@ jobs: spec/dummy/tmp/screenshots PushJavascript: + permissions: + contents: write runs-on: ubuntu-22.04 needs: [check_yarn_lock, RSpec] if: github.event_name == 'pull_request' @@ -194,6 +202,8 @@ jobs: branch: ${{ github.head_ref }} Jest: + permissions: + contents: read runs-on: ubuntu-22.04 env: NODE_ENV: test diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index df5427a5f8..c20f19b69c 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -6,6 +6,9 @@ concurrency: group: lint-${{ github.ref_name }} cancel-in-progress: ${{ github.ref_name != 'main' }} +permissions: + contents: read + jobs: Standard: runs-on: ubuntu-22.04 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 1821afb177..d1129b581b 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,10 +4,13 @@ on: schedule: - cron: "0 0 * * *" +permissions: + pull-requests: write + issues: write + jobs: stale: runs-on: ubuntu-22.04 - steps: - uses: actions/stale@v5 with: From 58e54b6cbbc9235b33b3cfb2b592f20826157da1 Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Tue, 7 Jan 2025 23:00:16 +0100 Subject: [PATCH 2/2] CI: Brakeman needs security-events: write permissions In order to write code scanning alerts --- .github/workflows/brakeman-analysis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml index 8295c090df..5405d7a3d5 100644 --- a/.github/workflows/brakeman-analysis.yml +++ b/.github/workflows/brakeman-analysis.yml @@ -9,6 +9,7 @@ concurrency: permissions: contents: read + security-events: write on: push: