build: harden GitHub workflow permissions
authorAlex Low <aleksandrosansan@gmail.com>
Mon, 19 Sep 2022 10:20:37 +0000 (12:20 +0200)
committerChristian Marangi <ansuelsmth@gmail.com>
Sun, 4 Dec 2022 16:36:57 +0000 (17:36 +0100)
Grant pull-requests write permission to the labeler workflow and
read-only to everything else.

Signed-off-by: Alex Low <aleksandrosansan@gmail.com>
[ wrap to 80 columns and fix wrong author as requested by author itself ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 715259940776843d8799bc39de8eb50eb764189b)

.github/workflows/formal.yml
.github/workflows/kernel.yml
.github/workflows/labeler.yml
.github/workflows/tools.yml

index 26bcc74542982d1b97ada1d506d90edeeb6c8e99..8df31d1751f4ca7ba20df268b2211572e3a9c3b4 100644 (file)
@@ -3,6 +3,9 @@ name: Test Formalities
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Test Formalities
index 99b8aefbe1d46c82eb750dc646d65a072c5488fc..0ba8c27e2e7313f88dd5dee9b55ba2dbc5dcaa73 100644 (file)
@@ -7,6 +7,10 @@ on:
       - 'include/kernel-*'
       - 'package/kernel/**'
       - 'target/linux/generic/**'
+
+permissions:
+  contents: read
+
 jobs:
   determine_targets:
     name: Set targets
index 5eecf6902388c298e933432f1958554406ba590b..5f82b88a50a7dc5e7e5e4ab82c04b2bccfeab36f 100644 (file)
@@ -2,8 +2,15 @@ name: 'Pull Request Labeler'
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   labeler:
+    permissions:
+      contents: read # to determine modified files (actions/labeler)
+      pull-requests: write # to add labels to PRs (actions/labeler)
+
     name: Pull Request Labeler
     runs-on: ubuntu-latest
     steps:
index 39adac5beb84a8582b79ad9ceb4168c6e0296abe..f48361536362c32a6a6c383c7b36fe6def607c30 100644 (file)
@@ -10,6 +10,9 @@ on:
       - 'tools/**'
       - '.github/workflows/tools.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build-macos-latest:
     if: github.event_name != 'push'