From 91b77f61703a670a442edc68cfae02cb57b38d12 Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Fri, 22 Sep 2023 19:41:19 +0000 Subject: [PATCH 1/2] ci: set minimal permissions to workflows Signed-off-by: Diogo Teles Sant'Anna --- .github/workflows/auto_author_assign.yml | 4 +++- .github/workflows/binder.yml | 3 +++ .github/workflows/build.yml | 2 +- .github/workflows/buildutils.yml | 3 +++ .github/workflows/check-release.yml | 2 +- .github/workflows/enforce-label.yml | 3 +++ .github/workflows/lock.yml | 6 ++++-- .github/workflows/playwright-update.yml | 5 +++-- .github/workflows/prep-release.yml | 2 ++ .github/workflows/publish-release.yml | 3 +++ .github/workflows/ui-tests.yml | 3 +++ 11 files changed, 29 insertions(+), 7 deletions(-) diff --git a/.github/workflows/auto_author_assign.yml b/.github/workflows/auto_author_assign.yml index 046a6a71bf..8d576d8833 100644 --- a/.github/workflows/auto_author_assign.yml +++ b/.github/workflows/auto_author_assign.yml @@ -6,10 +6,12 @@ on: types: [opened, reopened] permissions: - pull-requests: write + contents: read jobs: assign-author: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: toshimaru/auto-author-assign@v1.6.2 diff --git a/.github/workflows/binder.yml b/.github/workflows/binder.yml index ad9a237e9f..1ff492bb00 100644 --- a/.github/workflows/binder.yml +++ b/.github/workflows/binder.yml @@ -3,6 +3,9 @@ on: pull_request_target: types: [opened] +permissions: + contents: read + jobs: binder: runs-on: ubuntu-latest diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b2f9b4a9d8..d138fe72fe 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,7 +8,7 @@ on: - cron: '0 0 * * *' permissions: - contents: write + contents: read concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} diff --git a/.github/workflows/buildutils.yml b/.github/workflows/buildutils.yml index 24929cc0e5..10f188a61c 100644 --- a/.github/workflows/buildutils.yml +++ b/.github/workflows/buildutils.yml @@ -13,6 +13,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true +permissions: + contents: read + jobs: versioning: runs-on: ubuntu-latest diff --git a/.github/workflows/check-release.yml b/.github/workflows/check-release.yml index f6ceb3ccaa..dde4a8fc6e 100644 --- a/.github/workflows/check-release.yml +++ b/.github/workflows/check-release.yml @@ -5,7 +5,7 @@ on: pull_request: permissions: - contents: write + contents: read concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} diff --git a/.github/workflows/enforce-label.yml b/.github/workflows/enforce-label.yml index 725feab5ce..2217a7b765 100644 --- a/.github/workflows/enforce-label.yml +++ b/.github/workflows/enforce-label.yml @@ -1,5 +1,8 @@ name: Enforce PR label +permissions: + contents: read + on: pull_request: types: [labeled, unlabeled, opened, edited, synchronize] diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 7b04bca9b0..9f2e762c71 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -5,12 +5,14 @@ on: - cron: '0 0 * * *' permissions: - issues: write - pull-requests: write + contents: read jobs: lock: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: dessant/lock-threads@v4 with: diff --git a/.github/workflows/playwright-update.yml b/.github/workflows/playwright-update.yml index df16ded8d3..e437a95f3c 100644 --- a/.github/workflows/playwright-update.yml +++ b/.github/workflows/playwright-update.yml @@ -5,13 +5,14 @@ on: types: [created, edited] permissions: - contents: write - pull-requests: write + contents: read jobs: update-snapshots: if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'update playwright snapshots') }} runs-on: ubuntu-latest + permissions: + pull-requests: write # Required by actions/update-snapshots strategy: fail-fast: false matrix: diff --git a/.github/workflows/prep-release.yml b/.github/workflows/prep-release.yml index 2ab42761d9..723b6d2ce1 100644 --- a/.github/workflows/prep-release.yml +++ b/.github/workflows/prep-release.yml @@ -19,6 +19,8 @@ on: description: 'Use PRs with activity since the last stable git tag' required: false type: boolean +permissions: + contents: read jobs: prep_release: runs-on: ubuntu-latest diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index dd5b779134..38b1e4833e 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -12,6 +12,9 @@ on: description: 'Comma separated list of steps to skip' required: false +permissions: + contents: read + jobs: publish_release: runs-on: ubuntu-latest diff --git a/.github/workflows/ui-tests.yml b/.github/workflows/ui-tests.yml index 8d407248c2..1c100ae301 100644 --- a/.github/workflows/ui-tests.yml +++ b/.github/workflows/ui-tests.yml @@ -9,6 +9,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true +permissions: + contents: read + jobs: build: name: Build From 51f5b8f8c5538558ee10185257a5e8bc771047c9 Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Fri, 22 Sep 2023 18:14:36 -0300 Subject: [PATCH 2/2] Fix trailing whitespace on playwright-update.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: MichaƂ Krassowski <5832902+krassowski@users.noreply.github.com> --- .github/workflows/playwright-update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/playwright-update.yml b/.github/workflows/playwright-update.yml index e437a95f3c..f19743b03f 100644 --- a/.github/workflows/playwright-update.yml +++ b/.github/workflows/playwright-update.yml @@ -12,7 +12,7 @@ jobs: if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'update playwright snapshots') }} runs-on: ubuntu-latest permissions: - pull-requests: write # Required by actions/update-snapshots + pull-requests: write # Required by actions/update-snapshots strategy: fail-fast: false matrix: