From 06cafc905da434773cb089c77ff250144fc30473 Mon Sep 17 00:00:00 2001 From: Step Security Date: Sun, 11 Sep 2022 16:40:45 +0000 Subject: [PATCH 1/2] [StepSecurity] ci: Harden GitHub Actions in prepare-cache.yml --- .github/workflows/prepare-cache.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/prepare-cache.yml b/.github/workflows/prepare-cache.yml index 5fac3c6c75..6a4cf1cdc4 100644 --- a/.github/workflows/prepare-cache.yml +++ b/.github/workflows/prepare-cache.yml @@ -7,6 +7,9 @@ on: required: true type: string +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: prepare-npm-cache: name: Prepare npm cache for ${{ inputs.os }} From 0036a53a08da7c5e37c67edd50407199abea71cb Mon Sep 17 00:00:00 2001 From: Step Security Date: Sun, 11 Sep 2022 16:40:46 +0000 Subject: [PATCH 2/2] build(devs-infra): set permissions for GH actions --- .github/workflows/prepare-cache.yml | 2 +- .github/workflows/test.yml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/prepare-cache.yml b/.github/workflows/prepare-cache.yml index 6a4cf1cdc4..037bc3d0b3 100644 --- a/.github/workflows/prepare-cache.yml +++ b/.github/workflows/prepare-cache.yml @@ -7,7 +7,7 @@ on: required: true type: string -permissions: # added using https://github.com/step-security/secure-workflows +permissions: # added using https://github.com/step-security/secure-workflows contents: read jobs: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index aed42b3cde..fe15a08202 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,8 +7,14 @@ on: required: true type: string +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: test: + permissions: + checks: write # for coverallsapp/github-action to create new checks + contents: read # for actions/checkout to fetch code strategy: fail-fast: false matrix: