Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
- master
- "2.9"
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
build:
+ permissions:
+ checks: write # for coverallsapp/github-action to create new checks
+ contents: read # for dorny/paths-filter to fetch a list of changed files
+ pull-requests: read # for dorny/paths-filter to read pull requests
runs-on: ${{ matrix.os }}
outputs:
parallel: true
finish:
+ permissions:
+ checks: write # for coverallsapp/github-action to create new checks
needs: build
runs-on: ubuntu-latest
steps:
on: [pull_request]
+permissions:
+ contents: read
+
jobs:
build:
+ permissions:
+ checks: write # for preactjs/compressed-size-action to create and update the checks
+ contents: read # for actions/checkout to fetch code
+ issues: write # for preactjs/compressed-size-action to create comments
+ pull-requests: write # for preactjs/compressed-size-action to write a PR review
runs-on: ubuntu-latest
steps:
branches:
- master
+permissions:
+ contents: read
+
jobs:
correct_repository:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
steps:
- name: fail on fork
- master
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
correct_repository:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
steps:
- name: fail on fork
run: exit 1
update_release_draft:
+ permissions:
+ contents: write # for release-drafter/release-drafter to create a github release
+ pull-requests: write # for release-drafter/release-drafter to add label to PR
needs: correct_repository
runs-on: ubuntu-latest
steps:
on:
release:
+ permissions:
+ contents: write # for actions/upload-release-asset to upload release asset
types: [published]
+permissions:
+ contents: read
+
jobs:
setup:
+ permissions:
+ contents: none
runs-on: ubuntu-latest
outputs:
version: ${{ steps.trim.outputs.version }}
projects / thirdparty / Chart.js.git / commitdiff
