ci: Add GitHub token permissions for workflows

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
2022-07-08 10:53:38 -07:00 · 2022-07-08 10:53:38 -07:00 · 2c71278a23
commit 2c71278a23
parent 1ba4ca5995
7 changed files with 36 additions and 0 deletions
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@ -8,8 +8,14 @@ on:
 # the GitHub repository. This means that it should not evaluate user input in a
 # way that allows code injection.

+permissions:
+  contents: read
+
 jobs:
  backport:
+    permissions:
+      contents: write  # for zeebe-io/backport-action to create branch
+      pull-requests: write  # for zeebe-io/backport-action to create PR to backport
    name: Backport Pull Request
    if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
    runs-on: ubuntu-latest
--- a/.github/workflows/basic-eval.yml
+++ b/.github/workflows/basic-eval.yml
@ -10,6 +10,9 @@ on:
  #   branches:
  #    - master
  #    - release-**
+permissions:
+  contents: read
+
 jobs:
  tests:
    runs-on: ubuntu-latest
--- a/.github/workflows/direct-push.yml
+++ b/.github/workflows/direct-push.yml
@ -4,8 +4,13 @@ on:
    branches:
     - master
     - release-**
+permissions:
+  contents: read
+
 jobs:
  build:
+    permissions:
+      contents: write  # for peter-evans/commit-comment to comment on commit
    runs-on: ubuntu-latest
    if: github.repository_owner == 'NixOS'
    env:
--- a/.github/workflows/pending-clear.yml
+++ b/.github/workflows/pending-clear.yml
@ -4,8 +4,13 @@ on:
  check_suite:
    types: [ completed ]

+permissions:
+  contents: read
+
 jobs:
  action:
+    permissions:
+      statuses: write
    runs-on: ubuntu-latest
    steps:
    - name: clear pending status
--- a/.github/workflows/pending-set.yml
+++ b/.github/workflows/pending-set.yml
@ -8,8 +8,13 @@ on:
 # the GitHub repository. This means that it should not evaluate user input in a
 # way that allows code injection.

+permissions:
+  contents: read
+
 jobs:
  action:
+    permissions:
+      statuses: write
    runs-on: ubuntu-latest
    steps:
    - name: set pending status
--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@ -14,8 +14,14 @@ on:
    # Merge every 24 hours
    - cron:  '0 0 * * *'

+permissions:
+  contents: read
+
 jobs:
  periodic-merge:
+    permissions:
+      contents: write  # for devmasx/merge-branch to merge branches
+      issues: write  # for peter-evans/create-or-update-comment to create or update comment
    if: github.repository_owner == 'NixOS'
    runs-on: ubuntu-latest
    strategy:
--- a/.github/workflows/periodic-merge-6h.yml
+++ b/.github/workflows/periodic-merge-6h.yml
@ -14,8 +14,14 @@ on:
    # Merge every 6 hours
    - cron:  '0 */6 * * *'

+permissions:
+  contents: read
+
 jobs:
  periodic-merge:
+    permissions:
+      contents: write  # for devmasx/merge-branch to merge branches
+      issues: write  # for peter-evans/create-or-update-comment to create or update comment
    if: github.repository_owner == 'NixOS'
    runs-on: ubuntu-latest
    strategy: