Skip to content

Commit 17f9ab0

Browse files
authored
chore(ci): sets base permissions on all workflows (#1801)
adds pull requests write permission add permissions for packages, id-token add permissions add permissions all the permissions!
1 parent 7c915d0 commit 17f9ab0

19 files changed

+83
-4
lines changed

.github/workflows/closed-issues-message.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,15 @@ name: Closed Issue Message
22
on:
33
issues:
44
types: [closed]
5+
6+
permissions:
7+
contents: read
8+
59
jobs:
610
auto_comment:
711
runs-on: ubuntu-latest
12+
permissions:
13+
issues: write
814
steps:
915
- uses: aws-actions/closed-issue-message@36b7048ea77bb834d16e7a7c5b5471ac767a4ca1 # v1.0.0
1016
with:

.github/workflows/label_pr_on_title.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ on:
66
types:
77
- completed
88

9+
permissions:
10+
contents: read
11+
912
jobs:
1013
get_pr_details:
1114
# Guardrails to only ever run if PR recording workflow was indeed
@@ -18,6 +21,8 @@ jobs:
1821
secrets:
1922
token: ${{ secrets.GITHUB_TOKEN }}
2023
label_pr:
24+
permissions:
25+
pull-requests: write
2126
needs: get_pr_details
2227
runs-on: ubuntu-latest
2328
steps:

.github/workflows/make-release.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
name: Make Release
22
on:
33
workflow_dispatch: {}
4+
5+
permissions:
6+
contents: read
7+
48
concurrency:
59
group: on-release-publish
610
jobs:

.github/workflows/make-v2-release.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
name: Make Release v2 (pre-release)
22
on:
33
workflow_dispatch: {}
4+
5+
permissions:
6+
contents: read
7+
48
concurrency:
59
group: on-release-publish
610
jobs:

.github/workflows/measure-packages-size.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,13 @@ on:
77
description: "PR Number"
88
required: true
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
measure-utils-sizes:
15+
permissions:
16+
pull-requests: write
1217
runs-on: ubuntu-latest
1318
env:
1419
NODE_ENV: dev

.github/workflows/on-doc-v2-merge.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ on:
88
- "docs/**"
99
- "mkdocs.yml"
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
release-docs:
1316
permissions:

.github/workflows/on-merge-to-main.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,12 +5,18 @@ on:
55
workflows: ["Record PR details"]
66
types:
77
- completed
8+
89
concurrency:
910
group: on-merge-to-main
1011

12+
permissions:
13+
contents: read
14+
1115
jobs:
1216
get_pr_details:
1317
if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
18+
permissions:
19+
pull-requests: read
1420
uses: ./.github/workflows/reusable_export_pr_details.yml
1521
with:
1622
record_pr_workflow_id: ${{ github.event.workflow_run.id }}
@@ -22,6 +28,8 @@ jobs:
2228
if: ${{ needs.get_pr_details.outputs.prIsMerged == 'true' }}
2329
uses: ./.github/workflows/reusable-run-linting-check-and-unit-tests.yml
2430
update-release-draft:
31+
permissions:
32+
contents: write
2533
needs: run-unit-tests
2634
runs-on: ubuntu-latest
2735
steps:
@@ -32,6 +40,9 @@ jobs:
3240
env:
3341
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3442
release_label_on_merge:
43+
permissions:
44+
pull-requests: read
45+
contents: write
3546
needs: [get_pr_details, update-release-draft]
3647
runs-on: ubuntu-latest
3748
steps:

.github/workflows/on-workflows-push-pr.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,15 @@ on:
88
paths:
99
- ".github/workflows/**"
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
enforce_pinned_workflows:
1316
name: Harden Security
1417
runs-on: ubuntu-latest
18+
permissions:
19+
actions: read
1520
steps:
1621
- name: Checkout code
1722
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

.github/workflows/on_doc_merge.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ on:
88
- "docs/**"
99
- "mkdocs.yml"
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
release-docs:
1316
permissions:

.github/workflows/on_opened_pr.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ on:
66
types:
77
- completed
88

9+
permissions:
10+
contents: read
11+
912
jobs:
1013
get_pr_details:
1114
if: ${{ github.event.workflow_run.conclusion == 'success' }}
@@ -16,6 +19,9 @@ jobs:
1619
secrets:
1720
token: ${{ secrets.GITHUB_TOKEN }}
1821
check_related_issue:
22+
permissions:
23+
issues: read
24+
pull-requests: write
1925
needs: get_pr_details
2026
runs-on: ubuntu-latest
2127
steps:

0 commit comments

Comments
 (0)