tsai
/
abp
mirror of https://github.com/abpframework/abp.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

chore: Set permissions for GitHub actions 

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
pull/13204/head
naveen 4 years ago
parent
9187fc30d7
commit
eb96830ee5
5 changed files with 24 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      .github/workflows/angular.yml
  2. 6
      .github/workflows/auto-pr.yml
  3. 3
      .github/workflows/build-and-test.yml
  4. 5
      .github/workflows/cancel-workflow.yml
  5. 7
      .github/workflows/codeql-analysis.yml

3
.github/workflows/angular.yml
View File

@ -10,6 +10,9 @@ on:
branches: branches:
- 'rel-*' - 'rel-*'
- 'dev' - 'dev'
permissions:
contents: read
jobs: jobs:
build-test-lint: build-test-lint:
runs-on: ubuntu-latest runs-on: ubuntu-latest

6
.github/workflows/auto-pr.yml
View File

@ -3,8 +3,14 @@ on:
push: push:
branches: branches:
- rel-5.3 - rel-5.3
permissions:
contents: read
jobs: jobs:
merge-rel-5-3-with-rel-5-2: merge-rel-5-3-with-rel-5-2:
permissions:
contents: write # for peter-evans/create-pull-request to create branch
pull-requests: write # for peter-evans/create-pull-request to create a PR
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2

3
.github/workflows/build-and-test.yml
View File

@ -31,6 +31,9 @@ on:
- 'templates/**/*.cshtml' - 'templates/**/*.cshtml'
- 'templates/**/*.csproj' - 'templates/**/*.csproj'
- 'templates/**/*.razor' - 'templates/**/*.razor'
permissions:
contents: read
jobs: jobs:
build-test: build-test:
runs-on: windows-latest runs-on: windows-latest

5
.github/workflows/cancel-workflow.yml
View File

@ -1,7 +1,12 @@
name: cancel-workflow name: cancel-workflow
on: [push] on: [push]
permissions:
contents: read
jobs: jobs:
cancel: cancel:
permissions:
actions: write # for styfle/cancel-workflow-action to cancel/stop running workflows
name: 'Cancel Previous Runs' name: 'Cancel Previous Runs'
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 3 timeout-minutes: 3

7
.github/workflows/codeql-analysis.yml
View File

@ -24,8 +24,15 @@ on:
- 'abp/**/*.csproj' - 'abp/**/*.csproj'
- 'abp/**/*.razor' - 'abp/**/*.razor'
permissions:
contents: read
jobs: jobs:
analyze: analyze:
permissions:
actions: read # for github/codeql-action/init to get workflow details
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/autobuild to send a status report
name: Analyze name: Analyze
runs-on: ubuntu-latest runs-on: ubuntu-latest

Write Preview
Loading…
Cancel
Save