Ensure top-level permissions are not set to write-all

oasisprotocol · Mar 6, 2023 · e43e764 · e43e764
1 parent ef76686
commit e43e764
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [stable, master]
 
+# disable secrets.GITHUB_TOKEN permissions
+permissions: {}
+
 jobs:
   yarn_cache:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/dump-validators.yml b/.github/workflows/dump-validators.yml
@@ -6,6 +6,10 @@ on:
   schedule:
     - cron: '0 0 1 * *'
 
+permissions: # Limit secrets.GITHUB_TOKEN permissions
+  contents: write
+  pull-requests: write
+
 jobs:
   dump-validators:
     if: github.repository == 'oasisprotocol/oasis-wallet-web'

diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
@@ -9,6 +9,10 @@ on:
   pull_request:
     branches: [stable, master]
 
+permissions: # Limit secrets.GITHUB_TOKEN permissions
+  contents: write
+  pull-requests: write
+
 env: # Comment env block if you do not want to apply fixes
   # Apply linter fixes configuration
   APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool)