From e700605975438a68a1f45795e1814455572a5ff6 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 8 Dec 2022 18:50:37 +0200 Subject: [PATCH 1/2] build: harden validate.yml permissions Signed-off-by: Alex --- .github/workflows/validate.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index a0053f55..53d55d3a 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -12,6 +12,11 @@ on: - 'alpha' - '!all-contributors/**' pull_request: {} + +permissions: + actions: write # to cancel/stop running workflows (styfle/cancel-workflow-action) + contents: read # to fetch code (actions/checkout) + jobs: main: # ignore all-contributors PRs @@ -56,6 +61,10 @@ jobs: flags: node-${{ matrix.node }} release: + permissions: + actions: write # to cancel/stop running workflows (styfle/cancel-workflow-action) + contents: write # to create release tags (cycjimmy/semantic-release-action) + needs: main runs-on: ubuntu-latest if: From 86e39cc658d746733223a39726a05f5a424ac431 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 8 Dec 2022 18:58:14 +0000 Subject: [PATCH 2/2] Update validate.yml --- .github/workflows/validate.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 53d55d3a..8d626849 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -13,12 +13,13 @@ on: - '!all-contributors/**' pull_request: {} -permissions: - actions: write # to cancel/stop running workflows (styfle/cancel-workflow-action) - contents: read # to fetch code (actions/checkout) +permissions: {} jobs: main: + permissions: + actions: write # to cancel/stop running workflows (styfle/cancel-workflow-action) + contents: read # to fetch code (actions/checkout) # ignore all-contributors PRs if: ${{ !contains(github.head_ref, 'all-contributors') }} strategy: