From 741b4c0ddecffef5e08a2cd96441dcc7564b568a Mon Sep 17 00:00:00 2001 From: Daniel Farrell Date: Wed, 24 Aug 2022 15:29:52 -0400 Subject: [PATCH] Minimize GHA permissions Set the GitHub Actions token permission to null in most workflows. This results in: GITHUB_TOKEN Permissions Metadata: read The default permissions, used without the null override, are either GITHUB_TOKEN Permissions Actions: write Checks: write Contents: write Deployments: write Discussions: write Issues: write Metadata: read Packages: write Pages: write PullRequests: write RepositoryProjects: write SecurityEvents: write Statuses: write or GITHUB_TOKEN Permissions Actions: read Checks: read Contents: read Deployments: read Discussions: read Issues: read Metadata: read Packages: read Pages: read PullRequests: read RepositoryProjects: read SecurityEvents: read Statuses: read Jobs triggered by PRs get read permissions, other jobs get write. A few jobs require non-null permissions to function. The dependent issues GHA needs PR/issues write permissions to add/remove `dependent` labels. It needs status write permission to block/unblock PRs when dependencies are missing/met. Fails with HttpError otherwise. The release job needs permissions to publish releases on GitHub and create/edit PRs. The exact permissions for this job might need tweaking. The testing workflow already had specific permissions granted. Signed-off-by: Daniel Farrell --- .github/workflows/branch.yml | 2 ++ .github/workflows/codeowners.yml | 2 ++ .github/workflows/dependent-issues.yml | 5 +++++ .github/workflows/e2e.yml | 2 ++ .github/workflows/linting.yml | 2 ++ .github/workflows/periodic.yml | 2 ++ .github/workflows/release.yml | 6 ++++++ .github/workflows/validation.yml | 2 ++ 8 files changed, 23 insertions(+) diff --git a/.github/workflows/branch.yml b/.github/workflows/branch.yml index 31e624ed..1a9dc9b0 100644 --- a/.github/workflows/branch.yml +++ b/.github/workflows/branch.yml @@ -4,6 +4,8 @@ name: Branch Checks on: pull_request: +permissions: {} + jobs: target_branch: name: PR targets branch diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml index ed9ba265..6039421d 100644 --- a/.github/workflows/codeowners.yml +++ b/.github/workflows/codeowners.yml @@ -7,6 +7,8 @@ on: - 'CODEOWNERS' - 'CODEOWNERS.in' +permissions: {} + jobs: updated: name: Up-to-date diff --git a/.github/workflows/dependent-issues.yml b/.github/workflows/dependent-issues.yml index 91bde50c..aec23b74 100644 --- a/.github/workflows/dependent-issues.yml +++ b/.github/workflows/dependent-issues.yml @@ -19,6 +19,11 @@ on: schedule: - cron: '0 0/6 * * *' # every 6 hours +permissions: + issues: write + pull-requests: write + statuses: write + jobs: check: name: Check Dependencies diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index e3e75acc..612a580b 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -4,6 +4,8 @@ name: End to End Tests on: pull_request: +permissions: {} + jobs: e2e: name: E2E diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 7892a07b..c951d3ad 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -4,6 +4,8 @@ name: Linting on: pull_request: +permissions: {} + jobs: apply-suggestions-commits: name: 'No "Apply suggestions from code review" Commits' diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml index c6b76a7a..6e65df53 100644 --- a/.github/workflows/periodic.yml +++ b/.github/workflows/periodic.yml @@ -5,6 +5,8 @@ on: schedule: - cron: "0 0 * * 0" +permissions: {} + jobs: markdown-link-check-periodic: name: Markdown Links (all files) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6e91362c..c12d41f0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,12 @@ on: paths: - 'releases/**' +permissions: + contents: read + packages: : write + pull-requests: write + issues: write + jobs: release: name: Release diff --git a/.github/workflows/validation.yml b/.github/workflows/validation.yml index cd31ccd8..761e9dda 100644 --- a/.github/workflows/validation.yml +++ b/.github/workflows/validation.yml @@ -4,6 +4,8 @@ name: Validation on: pull_request: +permissions: {} + jobs: yamls: name: Release YAMLs