ci: add minimum GitHub token permissions for workflows (#1792)

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
2022-10-03 07:53:12 -07:00 · 2022-10-03 07:53:12 -07:00 · 23fc5e099f
commit 23fc5e099f
parent 93d1913fb0
4 changed files with 23 additions and 0 deletions
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@ -2,8 +2,14 @@ name: "Pull Request Labeler"
 on:
 - pull_request_target

+permissions:
+  contents: read
+
 jobs:
  triage:
+    permissions:
+      contents: read  # for actions/labeler to determine modified files
+      pull-requests: write  # for actions/labeler to add labels to PRs
    runs-on: ubuntu-latest
    steps:
    - uses: actions/labeler@v4
--- a/.github/workflows/size-labeler.yml
+++ b/.github/workflows/size-labeler.yml
@ -4,8 +4,13 @@ name: size-labeler

 on: [pull_request_target]

+permissions:
+  contents: read
+
 jobs:
  size-labeler:
+    permissions:
+      pull-requests: write  # for codelytv/pr-size-labeler to add labels & comment on PRs
    runs-on: ubuntu-latest
    name: Label the PR size
    steps:
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -4,9 +4,15 @@ on:
  schedule:
  - cron: "0 0 * * *"

+permissions:
+  contents: read
+
 jobs:
  stale:

+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
    runs-on: ubuntu-latest

    steps:
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -8,6 +8,9 @@ on:
 env:
  GO111MODULE: on

+permissions:
+  contents: read
+
 jobs:


@ -30,6 +33,9 @@ jobs:


  golangci-lint:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
    runs-on: ubuntu-latest
    steps: