Skip to content

Commit

Permalink
Minimize GHA permissions
Browse files Browse the repository at this point in the history
Set the GitHub Actions token permission to null in most workflows.

This results in:

GITHUB_TOKEN Permissions
  Metadata: read

The default permissions, used without the null override, are either

GITHUB_TOKEN Permissions
  Actions: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

or

GITHUB_TOKEN Permissions
  Actions: read
  Checks: read
  Contents: read
  Deployments: read
  Discussions: read
  Issues: read
  Metadata: read
  Packages: read
  Pages: read
  PullRequests: read
  RepositoryProjects: read
  SecurityEvents: read
  Statuses: read

Jobs triggered by PRs get read permissions, other jobs get write.

A few jobs require non-null permissions to function.

The dependent issues GHA needs PR/issues write permissions to add/remove
`dependent` labels. It needs status write permission to block/unblock
PRs when dependencies are missing/met. Fails with HttpError otherwise.

The release job needs permissions to publish releases on GitHub and
create/edit PRs. The exact permissions for this job might need tweaking.

The testing workflow already had specific permissions granted.

Signed-off-by: Daniel Farrell <[email protected]>
  • Loading branch information
dfarrell07 committed Aug 25, 2022
1 parent 95e4712 commit 741b4c0
Show file tree
Hide file tree
Showing 8 changed files with 23 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/branch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ name: Branch Checks
on:
pull_request:

permissions: {}

jobs:
target_branch:
name: PR targets branch
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/codeowners.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ on:
- 'CODEOWNERS'
- 'CODEOWNERS.in'

permissions: {}

jobs:
updated:
name: Up-to-date
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/dependent-issues.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,11 @@ on:
schedule:
- cron: '0 0/6 * * *' # every 6 hours

permissions:
issues: write
pull-requests: write
statuses: write

jobs:
check:
name: Check Dependencies
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ name: End to End Tests
on:
pull_request:

permissions: {}

jobs:
e2e:
name: E2E
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/linting.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ name: Linting
on:
pull_request:

permissions: {}

jobs:
apply-suggestions-commits:
name: 'No "Apply suggestions from code review" Commits'
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/periodic.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ on:
schedule:
- cron: "0 0 * * 0"

permissions: {}

jobs:
markdown-link-check-periodic:
name: Markdown Links (all files)
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,12 @@ on:
paths:
- 'releases/**'

permissions:
contents: read
packages: : write
pull-requests: write
issues: write

jobs:
release:
name: Release
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ name: Validation
on:
pull_request:

permissions: {}

jobs:
yamls:
name: Release YAMLs
Expand Down

0 comments on commit 741b4c0

Please sign in to comment.