From 67e06706ef4e0ebc8c2a3d531c0058a772e48d91 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Thu, 31 Mar 2022 09:57:32 -0700 Subject: [PATCH] ci/gha: limit jobs permissions Most jobs only require to read the repo. Some require to read PRs as well. For details, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions Reported-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: Kir Kolyshkin --- .github/workflows/test.yml | 2 ++ .github/workflows/validate.yml | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index dc8ccd1b9..2b7078982 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,6 +10,8 @@ on: - main - release-* pull_request: +permissions: + contents: read env: # Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them. diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 35a7dadb1..5828c5779 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -9,10 +9,15 @@ on: pull_request: env: GO_VERSION: 1.18.x +permissions: + contents: read jobs: lint: + permissions: + contents: read + pull-requests: read runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v3 @@ -140,6 +145,9 @@ jobs: commit: + permissions: + contents: read + pull-requests: read runs-on: ubuntu-20.04 # Only check commits on pull requests. if: github.event_name == 'pull_request'