From 6ba161e5fcf5eb8c8553591c1d53cc33ae4915af Mon Sep 17 00:00:00 2001 From: Joyce Brum Date: Tue, 12 Sep 2023 18:53:25 +0000 Subject: [PATCH 1/3] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: Joyce Brum --- .github/workflows/ci_test.yml | 3 +++ .github/workflows/notify_codeowners.yml | 3 +++ .github/workflows/release-drafter.yml | 6 ++++++ .github/workflows/validate_codeowners.yml | 3 +++ 4 files changed, 15 insertions(+) diff --git a/.github/workflows/ci_test.yml b/.github/workflows/ci_test.yml index 12e1834b36..4e97e5dd6c 100644 --- a/.github/workflows/ci_test.yml +++ b/.github/workflows/ci_test.yml @@ -10,6 +10,9 @@ on: - master - r* +permissions: + contents: read + jobs: flake8-test: name: Flake8 diff --git a/.github/workflows/notify_codeowners.yml b/.github/workflows/notify_codeowners.yml index 23637f8199..dbd9de26f6 100644 --- a/.github/workflows/notify_codeowners.yml +++ b/.github/workflows/notify_codeowners.yml @@ -5,6 +5,9 @@ on: types: [opened] +permissions: + contents: read + jobs: notify-codeowners: name: Notify codeowners diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 9158d7a856..6f0c3a74de 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -6,8 +6,14 @@ on: - master - r* +permissions: + contents: read + jobs: update_release_draft: + permissions: + contents: write # for release-drafter/release-drafter to create a github release + pull-requests: write # for release-drafter/release-drafter to add label to PR runs-on: ubuntu-latest steps: - uses: release-drafter/release-drafter@74e7c423dafbb406c9c18b1638334f67a7c891c3 # Version 5.7.0 diff --git a/.github/workflows/validate_codeowners.yml b/.github/workflows/validate_codeowners.yml index e40a62f598..53be277148 100644 --- a/.github/workflows/validate_codeowners.yml +++ b/.github/workflows/validate_codeowners.yml @@ -15,6 +15,9 @@ on: # Otherwise, it's useless, it just check the codeowners file from the latest commit in master +permissions: + contents: read + jobs: validate-codeowners: name: Check that the CODEOWNERS is valid From fdcff15ddc2c0651799bbfb20c9a6c10907f0c7c Mon Sep 17 00:00:00 2001 From: Joyce Date: Tue, 12 Sep 2023 16:10:47 -0300 Subject: [PATCH 2/3] set release.yml permissions Signed-off-by: Joyce --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index aae080daff..3388370231 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,9 @@ on: - master - r* +permissions: + contents: read + env: MIN_PY_VERSION: '3.9' MAX_PY_VERSION: '3.11' From 5b38f45e6d6f66ee39c954d80fb27dd1a850f415 Mon Sep 17 00:00:00 2001 From: Joyce Date: Tue, 12 Sep 2023 16:23:25 -0300 Subject: [PATCH 3/3] set backport.yml permissions Signed-off-by: Joyce --- .github/workflows/backport.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 493dc97c82..74b5266d5f 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -5,10 +5,14 @@ on: - closed - labeled +permissions: {} + jobs: backport: runs-on: ubuntu-20.04 name: Backport + permissions: + contents: write steps: - name: Backport Bot if: github.event.pull_request.merged && ( ( github.event.action == 'closed' && contains( join( github.event.pull_request.labels.*.name ), 'backport') ) || contains( github.event.label.name, 'backport' ) )