From d3b1f2531498cdd513e1065d7ddedb96b2df2333 Mon Sep 17 00:00:00 2001 From: Daniel Farrell Date: Wed, 24 Aug 2022 15:04:18 -0400 Subject: [PATCH] Minimize GHA permissions Set the GitHub Actions token permission to null in most workflows. This results in: GITHUB_TOKEN Permissions Metadata: read The default permissions, used without the null override, are either GITHUB_TOKEN Permissions Actions: write Checks: write Contents: write Deployments: write Discussions: write Issues: write Metadata: read Packages: write Pages: write PullRequests: write RepositoryProjects: write SecurityEvents: write Statuses: write or GITHUB_TOKEN Permissions Actions: read Checks: read Contents: read Deployments: read Discussions: read Issues: read Metadata: read Packages: read Pages: read PullRequests: read RepositoryProjects: read SecurityEvents: read Statuses: read Jobs triggered by PRs get read permissions, other jobs get write. One job requires non-null permissions to function. The dependent issues GHA needs PR/issues write permissions to add/remove `dependent` labels. It needs status write permission to block/unblock PRs when dependencies are missing/met. Fails with HttpError otherwise. Signed-off-by: Daniel Farrell --- .github/workflows/branch.yml | 2 ++ .github/workflows/dependent-issues.yml | 5 +++++ .github/workflows/linting.yml | 2 ++ .github/workflows/periodic.yml | 2 ++ 4 files changed, 11 insertions(+) diff --git a/.github/workflows/branch.yml b/.github/workflows/branch.yml index c08bc1c4..db8f2bc5 100644 --- a/.github/workflows/branch.yml +++ b/.github/workflows/branch.yml @@ -4,6 +4,8 @@ name: Branch Checks on: pull_request: +permissions: {} + jobs: target_devel: name: PR targets devel diff --git a/.github/workflows/dependent-issues.yml b/.github/workflows/dependent-issues.yml index 1c74435f..10c91931 100644 --- a/.github/workflows/dependent-issues.yml +++ b/.github/workflows/dependent-issues.yml @@ -11,6 +11,11 @@ on: - opened - edited +permissions: + issues: write + pull-requests: write + statuses: write + jobs: check: name: Check Dependencies diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 5b1c3ca5..f1ffcdd3 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -4,6 +4,8 @@ name: Linting on: pull_request: +permissions: {} + jobs: apply-suggestions-commits: name: 'No "Apply suggestions from code review" Commits' diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml index c6b76a7a..6e65df53 100644 --- a/.github/workflows/periodic.yml +++ b/.github/workflows/periodic.yml @@ -5,6 +5,8 @@ on: schedule: - cron: "0 0 * * 0" +permissions: {} + jobs: markdown-link-check-periodic: name: Markdown Links (all files)