diff options
| author | Nick Brassel <nick@tzarc.org> | 2022-12-23 10:41:16 +1100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-23 10:41:16 +1100 |
| commit | f75ac6042ed042c329ab3d1c9cec46b4c4b81918 (patch) | |
| tree | 4b5c834d84bb7752e459243a2ec5893a64f3f5a9 /.github/workflows | |
| parent | b8a9de206d38f0e047c2f07bca398d6fe53b76a9 (diff) | |
Lock down workflow permissions. (#19406)
Co-authored-by: Joel Challis <git@zvecr.com>
Diffstat (limited to '.github/workflows')
| -rw-r--r-- | .github/workflows/api.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/auto_approve.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/auto_tag.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/cli.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/develop_update.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/docs.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/feature_branch_update.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/format.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/format_push.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/labeler.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/lint.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/stale.yml | 9 | ||||
| -rw-r--r-- | .github/workflows/unit_test.yml | 3 |
13 files changed, 41 insertions, 4 deletions
diff --git a/.github/workflows/api.yml b/.github/workflows/api.yml index 0cff4f6e75..2abfe696fd 100644 --- a/.github/workflows/api.yml +++ b/.github/workflows/api.yml @@ -1,5 +1,8 @@ name: Update API Data +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/auto_approve.yml b/.github/workflows/auto_approve.yml index dea3f017dd..1db1c49a9b 100644 --- a/.github/workflows/auto_approve.yml +++ b/.github/workflows/auto_approve.yml @@ -1,5 +1,7 @@ name: Automatic Approve +permissions: {} + on: schedule: - cron: "*/5 * * * *" diff --git a/.github/workflows/auto_tag.yml b/.github/workflows/auto_tag.yml index d6fcbe48e4..d1776c058d 100644 --- a/.github/workflows/auto_tag.yml +++ b/.github/workflows/auto_tag.yml @@ -1,5 +1,8 @@ name: Essential files modified +permissions: + contents: write + on: push: branches: diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml index 72f2ea293a..aeca9679cb 100644 --- a/.github/workflows/cli.yml +++ b/.github/workflows/cli.yml @@ -1,5 +1,8 @@ name: CLI CI +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/develop_update.yml b/.github/workflows/develop_update.yml index 18ca84162b..9c041c42ec 100644 --- a/.github/workflows/develop_update.yml +++ b/.github/workflows/develop_update.yml @@ -1,5 +1,8 @@ name: Update develop after master merge +permissions: + contents: write + on: push: branches: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 1497739a0b..841573cf30 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,5 +1,8 @@ name: Generate Docs +permissions: + contents: write + on: push: branches: diff --git a/.github/workflows/feature_branch_update.yml b/.github/workflows/feature_branch_update.yml index 90cd85e355..bfc4c7d65e 100644 --- a/.github/workflows/feature_branch_update.yml +++ b/.github/workflows/feature_branch_update.yml @@ -1,5 +1,8 @@ name: Update feature branches after develop merge +permissions: + contents: write + on: push: branches: diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index b6ce4063fe..782530f62e 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -1,5 +1,8 @@ name: PR Lint Format +permissions: + contents: read + on: pull_request: paths: diff --git a/.github/workflows/format_push.yml b/.github/workflows/format_push.yml index 910bba9a4e..5469ab0faa 100644 --- a/.github/workflows/format_push.yml +++ b/.github/workflows/format_push.yml @@ -1,5 +1,8 @@ name: Lint Format +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 3b99a8f43e..95f58ff003 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -1,5 +1,9 @@ name: "Pull Request Labeler" +permissions: + contents: read + pull-requests: write + on: pull_request_target: types: [opened, synchronize, reopened, ready_for_review, locked] diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 5b8a45f26b..8e1dbcaea2 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,5 +1,8 @@ name: PR Lint keyboards +permissions: + contents: read + on: pull_request: paths: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 297af8e19c..1c5b3e1197 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,13 +1,14 @@ name: 'Close stale issues and PRs' -on: - schedule: - - cron: '30 1 * * *' - workflow_dispatch: permissions: issues: write pull-requests: write +on: + schedule: + - cron: '30 1 * * *' + workflow_dispatch: + jobs: stale: runs-on: ubuntu-latest diff --git a/.github/workflows/unit_test.yml b/.github/workflows/unit_test.yml index c8373441ff..75ed84177b 100644 --- a/.github/workflows/unit_test.yml +++ b/.github/workflows/unit_test.yml @@ -1,5 +1,8 @@ name: Unit Tests +permissions: + contents: read + on: push: branches: |