CI: Add GitHub token permissions for workflows (#36325)

author Varun Sharma <varunsh@stepsecurity.io>

Fri, 16 Dec 2022 07:20:12 +0000 (12:50 +0530)

committer GitHub <noreply@github.com>

Fri, 16 Dec 2022 07:20:12 +0000 (09:20 +0200)
author Varun Sharma <varunsh@stepsecurity.io>
Fri, 16 Dec 2022 07:20:12 +0000 (12:50 +0530)
committer GitHub <noreply@github.com>
Fri, 16 Dec 2022 07:20:12 +0000 (09:20 +0200)
diff --git a/.github/workflows/browserstack.yml b/.github/workflows/browserstack.yml

index 918e0a15219e7407236eec19dd657d101e505de1..9a2fc91e56c3e7444c4aa4e85da8f175d5de172a 100644 (file)
--- a/.github/workflows/browserstack.yml
+++ b/.github/workflows/browserstack.yml
@@ -8,6 +8,9 @@ env:
    FORCE_COLOR: 2
    NODE: 18
  
+permissions:
+  contents: read
+
  jobs:
    browserstack:
      runs-on: ubuntu-latest
diff --git a/.github/workflows/bundlewatch.yml b/.github/workflows/bundlewatch.yml

index 8159ae2da34f2b995f057a1812b3273eb12a7d2e..2add86c49bc57212bcc994ac8d4b1d38544a7e51 100644 (file)
--- a/.github/workflows/bundlewatch.yml
+++ b/.github/workflows/bundlewatch.yml
@@ -11,6 +11,9 @@ env:
    FORCE_COLOR: 2
    NODE: 18
  
+permissions:
+  contents: read
+
  jobs:
    bundlewatch:
      runs-on: ubuntu-latest
diff --git a/.github/workflows/cspell.yml b/.github/workflows/cspell.yml

index f79ffdb81d2fc35ae1de6970a3d4f79ed508aa89..1d946981c66426b0cdc72e8f8d64f638fb0471ce 100644 (file)
--- a/.github/workflows/cspell.yml
+++ b/.github/workflows/cspell.yml
@@ -10,8 +10,15 @@ on:
  env:
    FORCE_COLOR: 2
  
+permissions:
+  contents: read
+
  jobs:
    cspell:
+    permissions:
+      # allow streetsidesoftware/cspell-action to fetch files for commits and PRs
+      contents: read
+      pull-requests: read
      runs-on: ubuntu-latest
  
      steps:
diff --git a/.github/workflows/css.yml b/.github/workflows/css.yml

index 68323a975fd32a0b6e81fb7455d5ace1b94afac5..6bfde50af3dd1b6827d10584072f1f4dd5733fff 100644 (file)
--- a/.github/workflows/css.yml
+++ b/.github/workflows/css.yml
@@ -11,6 +11,9 @@ env:
    FORCE_COLOR: 2
    NODE: 18
  
+permissions:
+  contents: read
+
  jobs:
    css:
      runs-on: ubuntu-latest
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml

index a47d82fda9041e37e01cfab6a6069f6e1d1d8832..bdeae6043da42a26be139327fee6fa7d3440fb27 100644 (file)
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -11,6 +11,9 @@ env:
    FORCE_COLOR: 2
    NODE: 18
  
+permissions:
+  contents: read
+
  jobs:
    docs:
      runs-on: ubuntu-latest
diff --git a/.github/workflows/issue-close-require.yml b/.github/workflows/issue-close-require.yml

index b251cd75ee0de33adba6e8c40510f1df67f214a3..b5000d8b4350be86f5173cbc56daf2024b6b7ff8 100644 (file)
--- a/.github/workflows/issue-close-require.yml
+++ b/.github/workflows/issue-close-require.yml
@@ -4,8 +4,15 @@ on:
    schedule:
      - cron: "0 0 * * *"
  
+permissions:
+  contents: read
+
  jobs:
    issue-close-require:
+    permissions:
+      # allow actions-cool/issues-helper to update issues and PRs
+      issues: write
+      pull-requests: write
      runs-on: ubuntu-latest
      if: github.repository == 'twbs/bootstrap'
      steps:
diff --git a/.github/workflows/issue-labeled.yml b/.github/workflows/issue-labeled.yml

index fac58493b539b8a8bbbdc2884441277a7ff99636..584879dd80cf1c93d3ba30edf65a16dee1c12a8e 100644 (file)
--- a/.github/workflows/issue-labeled.yml
+++ b/.github/workflows/issue-labeled.yml
@@ -4,8 +4,15 @@ on:
    issues:
      types: [labeled]
  
+permissions:
+  contents: read
+
  jobs:
    issue-labeled:
+    permissions:
+      # allow actions-cool/issues-helper to update issues and PRs
+      issues: write
+      pull-requests: write
      if: github.repository == 'twbs/bootstrap'
      runs-on: ubuntu-latest
      steps:
diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml

index 724f16c62fb121f3c48f9a5209447b06b948227b..a8994b6cc3b15760f0f23915d05a5a5f8522171f 100644 (file)
--- a/.github/workflows/js.yml
+++ b/.github/workflows/js.yml
@@ -11,8 +11,15 @@ env:
    FORCE_COLOR: 2
    NODE: 18
  
+permissions:
+  contents: read
+
  jobs:
    run:
+    permissions:
+      # allow coverallsapp/github-action to create new checks issues and fetch code
+      checks: write
+      contents: read
      name: JS Tests
      runs-on: ubuntu-latest
  
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml

index b804462c9b73c64ab2f19b9f88bb0fc5be83711f..51ee189995735402e1179dfef75419867ee5aa06 100644 (file)
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -11,6 +11,9 @@ env:
    FORCE_COLOR: 2
    NODE: 18
  
+permissions:
+  contents: read
+
  jobs:
    lint:
      runs-on: ubuntu-latest
diff --git a/.github/workflows/node-sass.yml b/.github/workflows/node-sass.yml

index b0f9a72deead3b8107965c3ec7527f3e149d577d..dc687ca46b52b3af2e58771b7a75ac2707ddbb2e 100644 (file)
--- a/.github/workflows/node-sass.yml
+++ b/.github/workflows/node-sass.yml
@@ -11,6 +11,9 @@ env:
    FORCE_COLOR: 2
    NODE: 18
  
+permissions:
+  contents: read
+
  jobs:
    css:
      runs-on: ubuntu-latest
diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml

index bbd0a2448bfa83d473a7b206904332a3bee80cd6..f620dd31d1f85c804a605573c19dddbf3ae463b2 100644 (file)
--- a/.github/workflows/release-notes.yml
+++ b/.github/workflows/release-notes.yml
@@ -6,8 +6,15 @@ on:
        - main
    workflow_dispatch:
  
+permissions:
+  contents: read
+
  jobs:
    update_release_draft:
+    permissions:
+      # allow release-drafter/release-drafter to create GitHub releases and add labels to PRs
+      contents: write
+      pull-requests: write
      runs-on: ubuntu-latest
      if: github.repository == 'twbs/bootstrap'
      steps:
author	Varun Sharma <varunsh@stepsecurity.io>
	Fri, 16 Dec 2022 07:20:12 +0000 (12:50 +0530)
committer	GitHub <noreply@github.com>
	Fri, 16 Dec 2022 07:20:12 +0000 (09:20 +0200)
.github/workflows/browserstack.yml		patch \| blob \| blame \| history
.github/workflows/bundlewatch.yml		patch \| blob \| blame \| history
.github/workflows/cspell.yml		patch \| blob \| blame \| history
.github/workflows/css.yml		patch \| blob \| blame \| history
.github/workflows/docs.yml		patch \| blob \| blame \| history
.github/workflows/issue-close-require.yml		patch \| blob \| blame \| history
.github/workflows/issue-labeled.yml		patch \| blob \| blame \| history
.github/workflows/js.yml		patch \| blob \| blame \| history
.github/workflows/lint.yml		patch \| blob \| blame \| history
.github/workflows/node-sass.yml		patch \| blob \| blame \| history
.github/workflows/release-notes.yml		patch \| blob \| blame \| history