From 05f1a2cdb59fd18445b843e778df0984c56ae481 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 31 Oct 2023 00:41:13 -0700 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#305) Signed-off-by: StepSecurity Bot --- .github/workflows/dco.yml | 5 +++++ .github/workflows/doc-only.yml | 3 +++ .github/workflows/e2e.yml | 3 +++ .github/workflows/post.yml | 3 +++ .github/workflows/pr-verify.yml | 3 +++ .github/workflows/pre.yml | 3 +++ .github/workflows/releaseimage.yml | 3 +++ .github/workflows/stable.yaml | 6 ++++++ 8 files changed, 29 insertions(+) diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml index 45cba394a..9994827bc 100644 --- a/.github/workflows/dco.yml +++ b/.github/workflows/dco.yml @@ -5,8 +5,13 @@ on: branches: - main +permissions: + contents: read + jobs: dco_check: + permissions: + pull-requests: read # for tim-actions/get-pr-commits to get list of commits from the PR runs-on: ubuntu-latest name: DCO Check steps: diff --git a/.github/workflows/doc-only.yml b/.github/workflows/doc-only.yml index c8efae5ba..6b4d35cd9 100644 --- a/.github/workflows/doc-only.yml +++ b/.github/workflows/doc-only.yml @@ -12,6 +12,9 @@ on: branches: - main +permissions: + contents: read + jobs: verify: name: verify diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 1f27b57bb..3b3e59d4c 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -16,6 +16,9 @@ env: GO_VERSION: '1.20' GO_REQUIRED_MIN_VERSION: '' +permissions: + contents: read + jobs: e2e: runs-on: ubuntu-latest diff --git a/.github/workflows/post.yml b/.github/workflows/post.yml index 61db9e4ba..d23185fde 100644 --- a/.github/workflows/post.yml +++ b/.github/workflows/post.yml @@ -16,6 +16,9 @@ env: GO_VERSION: '1.20' GO_REQUIRED_MIN_VERSION: '' +permissions: + contents: read + jobs: coverage: name: coverage diff --git a/.github/workflows/pr-verify.yml b/.github/workflows/pr-verify.yml index bf1790638..43c84b619 100644 --- a/.github/workflows/pr-verify.yml +++ b/.github/workflows/pr-verify.yml @@ -8,6 +8,9 @@ on: pull_request_target: types: [opened, edited, reopened, synchronize] +permissions: + contents: read + jobs: verify: name: verify PR contents diff --git a/.github/workflows/pre.yml b/.github/workflows/pre.yml index fe44be40e..ba6301e6a 100644 --- a/.github/workflows/pre.yml +++ b/.github/workflows/pre.yml @@ -16,6 +16,9 @@ env: GO_VERSION: '1.20' GO_REQUIRED_MIN_VERSION: '' +permissions: + contents: read + jobs: verify: name: verify diff --git a/.github/workflows/releaseimage.yml b/.github/workflows/releaseimage.yml index 54381dbc7..17258f183 100644 --- a/.github/workflows/releaseimage.yml +++ b/.github/workflows/releaseimage.yml @@ -15,6 +15,9 @@ defaults: run: working-directory: go/src/open-cluster-management.io/ocm +permissions: + contents: read + jobs: env: name: prepare release env diff --git a/.github/workflows/stable.yaml b/.github/workflows/stable.yaml index 845962c56..7793ff476 100644 --- a/.github/workflows/stable.yaml +++ b/.github/workflows/stable.yaml @@ -5,8 +5,14 @@ on: # `stable` label will be added to issues and PRs that have been inactive for 120 days # Close stale issues and PRs after 14 days of inactivity +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest steps: - uses: actions/stale@v8