GitHub Workflows security hardening (#2511)

Signed-off-by: Alex <aleksandrosansan@gmail.com>
2024-11-07 20:31:01 -05:00 · 2022-11-10 03:46:55 +02:00 · 2022-11-10 03:46:55 +02:00 · 8dd46e3915
commit 8dd46e3915
parent ed1083ec27
4 changed files with 16 additions and 0 deletions
--- a/.github/workflows/macos_build.yml
+++ b/.github/workflows/macos_build.yml
@ -1,5 +1,9 @@
 name: macos_build
 on: [pull_request, push]
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
  macos_build:
    strategy:
--- a/.github/workflows/no-response.yml
+++ b/.github/workflows/no-response.yml
@ -9,8 +9,12 @@ on:
    # Schedule for ten minutes after the hour, every hour
    - cron: '10 * * * *'

+permissions: {}
 jobs:
  noResponse:
+    permissions:
+      issues: write  #  to update issues (lee-dohm/no-response)
+
    runs-on: ubuntu-latest
    steps:
      - uses: lee-dohm/no-response@v0.5.0
--- a/.github/workflows/pyenv_tests.yml
+++ b/.github/workflows/pyenv_tests.yml
@ -1,5 +1,9 @@
 name: pyenv_tests
 on: [pull_request, push]
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
  pyenv_tests:
    strategy:
--- a/.github/workflows/ubuntu_build.yml
+++ b/.github/workflows/ubuntu_build.yml
@ -1,5 +1,9 @@
 name: ubuntu_build
 on: [pull_request, push]
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
  ubuntu_build:
    strategy: