chore: Set permissions for GitHub actions (#9891)

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
4 years ago · 2d900d4848
5 changed files with 29 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -2,6 +2,9 @@ name: Node CI
 on: [push, pull_request]
 permissions:
  contents: read
 jobs:
  build:
    runs-on: ${{ matrix.os }}
--- a/.github/workflows/preview-build.yml
+++ b/.github/workflows/preview-build.yml
@ -4,6 +4,9 @@ on:
  pull_request:
    types: [opened, synchronize, reopened]
 permissions:
  contents: read
 jobs:
  build-preview:
    runs-on: ubuntu-latest
--- a/.github/workflows/preview-deploy.yml
+++ b/.github/workflows/preview-deploy.yml
@ -6,8 +6,15 @@ on:
    types:
      - completed
 permissions:
  contents: read
 jobs:
  success:
    permissions:
      actions: read  # for dawidd6/action-download-artifact to query and download artifacts
      issues: write  # for actions-cool/maintain-one-comment to modify or create issue comments
      pull-requests: write  # for actions-cool/maintain-one-comment to modify or create PR comments
    runs-on: ubuntu-latest
    if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
    steps:
@ -62,6 +69,10 @@ jobs:
          number: ${{ steps.pr.outputs.id }}
  failed:
    permissions:
      actions: read  # for dawidd6/action-download-artifact to query and download artifacts
      issues: write  # for actions-cool/maintain-one-comment to modify or create issue comments
      pull-requests: write  # for actions-cool/maintain-one-comment to modify or create PR comments
    runs-on: ubuntu-latest
    if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'failure'
    steps:
--- a/.github/workflows/preview-start.yml
+++ b/.github/workflows/preview-start.yml
@ -2,8 +2,14 @@ name: Preview Start
 on: pull_request_target
 permissions:
  contents: read
 jobs:
  preview:
    permissions:
      issues: write  # for actions-cool/maintain-one-comment to modify or create issue comments
      pull-requests: write  # for actions-cool/maintain-one-comment to modify or create PR comments
    runs-on: ubuntu-latest
    steps:
      - name: create
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@ -2,8 +2,14 @@ on:
  issue_comment:
    types: [created]
 name: Automatic Rebase
 permissions:
  contents: read
 jobs:
  rebase:
    permissions:
      contents: write  # for cirrus-actions/rebase to push code to rebase
      pull-requests: read  # for cirrus-actions/rebase to get info about PR
    name: Rebase
    if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
    runs-on: ubuntu-latest