From 6a69f367db79af78686fc3d2560c28ea29573acc Mon Sep 17 00:00:00 2001 From: eric sciple Date: Tue, 2 Mar 2021 19:59:19 -0600 Subject: [PATCH] Update starter workflows to specify permissions --- automation/greetings.yml | 3 +++ automation/label.yml | 3 +++ automation/stale.yml | 3 +++ ci/docker-publish.yml | 4 ++++ ci/gem-push.yml | 3 +++ ci/gradle-publish.yml | 3 +++ ci/maven-publish.yml | 3 +++ ci/npm-publish.yml | 3 +++ code-scanning/codeql.yml | 3 +++ code-scanning/kubesec.yml | 3 +++ code-scanning/mayhem-for-api.yml | 3 +++ code-scanning/synopsys-io.yml | 3 +++ code-scanning/tfsec.yml | 3 +++ 13 files changed, 40 insertions(+) diff --git a/automation/greetings.yml b/automation/greetings.yml index ebb00a0..ee1cb11 100644 --- a/automation/greetings.yml +++ b/automation/greetings.yml @@ -5,6 +5,9 @@ on: [pull_request, issues] jobs: greeting: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/first-interaction@v1 with: diff --git a/automation/label.yml b/automation/label.yml index 7c724a6..5cdc45e 100644 --- a/automation/label.yml +++ b/automation/label.yml @@ -12,6 +12,9 @@ jobs: label: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/labeler@v2 diff --git a/automation/stale.yml b/automation/stale.yml index b671fc0..30c3dd9 100644 --- a/automation/stale.yml +++ b/automation/stale.yml @@ -8,6 +8,9 @@ jobs: stale: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/stale@v3 diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index 76756db..ba69744 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -44,6 +44,10 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'push' + permissions: + contents: read + packages: write + steps: - uses: actions/checkout@v2 diff --git a/ci/gem-push.yml b/ci/gem-push.yml index a1edfbc..3dc62be 100644 --- a/ci/gem-push.yml +++ b/ci/gem-push.yml @@ -10,6 +10,9 @@ jobs: build: name: Build + Publish runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index ef99e13..a74a1ce 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -11,6 +11,9 @@ jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 diff --git a/ci/maven-publish.yml b/ci/maven-publish.yml index c3f4855..18dd937 100644 --- a/ci/maven-publish.yml +++ b/ci/maven-publish.yml @@ -11,6 +11,9 @@ jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 1b4952d..8462902 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -35,6 +35,9 @@ jobs: publish-gpr: needs: build runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml index d88fe52..99299d6 100644 --- a/code-scanning/codeql.yml +++ b/code-scanning/codeql.yml @@ -24,6 +24,9 @@ jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + contents: read + security-events: write strategy: fail-fast: false diff --git a/code-scanning/kubesec.yml b/code-scanning/kubesec.yml index 8d3d0eb..2d528a5 100644 --- a/code-scanning/kubesec.yml +++ b/code-scanning/kubesec.yml @@ -18,6 +18,9 @@ jobs: lint: name: Kubesec runs-on: ubuntu-20.04 + permissions: + contents: read + security-events: write steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/code-scanning/mayhem-for-api.yml b/code-scanning/mayhem-for-api.yml index 1601ff5..d084e3a 100644 --- a/code-scanning/mayhem-for-api.yml +++ b/code-scanning/mayhem-for-api.yml @@ -37,6 +37,9 @@ jobs: name: Mayhem for API # Mayhem for API runs on linux, mac and windows runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - uses: actions/checkout@v2 diff --git a/code-scanning/synopsys-io.yml b/code-scanning/synopsys-io.yml index 9b5a080..7e0aa09 100644 --- a/code-scanning/synopsys-io.yml +++ b/code-scanning/synopsys-io.yml @@ -18,6 +18,9 @@ jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - name: Checkout repository diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml index 05879a1..006c985 100644 --- a/code-scanning/tfsec.yml +++ b/code-scanning/tfsec.yml @@ -17,6 +17,9 @@ jobs: tfsec: name: Run tfsec sarif report runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - name: Clone repo