From: Alex Low Date: Mon, 19 Sep 2022 10:20:37 +0000 (+0200) Subject: build: harden GitHub workflow permissions X-Git-Tag: v22.03.3~127 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=008e9a335dc32c4662aa56eb67487ddd777f2147;p=openwrt%2Fstaging%2Fhauke.git build: harden GitHub workflow permissions Grant pull-requests write permission to the labeler workflow and read-only to everything else. Signed-off-by: Alex Low [ wrap to 80 columns and fix wrong author as requested by author itself ] Signed-off-by: Christian Marangi (cherry picked from commit 715259940776843d8799bc39de8eb50eb764189b) --- diff --git a/.github/workflows/formal.yml b/.github/workflows/formal.yml index 5046b5a180..1256481637 100644 --- a/.github/workflows/formal.yml +++ b/.github/workflows/formal.yml @@ -3,6 +3,9 @@ name: Test Formalities on: pull_request: +permissions: + contents: read + jobs: build: name: Test Formalities diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 6bcdf51a89..420617809b 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,8 +2,15 @@ name: 'Pull Request Labeler' on: - pull_request_target +permissions: + contents: read + jobs: labeler: + permissions: + contents: read # to determine modified files (actions/labeler) + pull-requests: write # to add labels to PRs (actions/labeler) + name: Pull Request Labeler runs-on: ubuntu-latest steps: diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml index 76cbd30db7..e089e26193 100644 --- a/.github/workflows/tools.yml +++ b/.github/workflows/tools.yml @@ -5,6 +5,9 @@ on: paths: - 'tools/**' +permissions: + contents: read + jobs: build: name: Build tools on ${{ matrix.os }}