From 8e9bd3bb65ec362f77d34dddc301de06deac8b25 Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Sat, 19 Jun 2021 14:30:39 +0000 Subject: [PATCH 1/2] chore: use minimal permissions for workflows Restrict the GITHUB_TOKEN issued for builds to reads of respository metadata and file contents. --- .github/workflows/ci.yaml | 12 ++++++++++++ .github/workflows/preview.yaml | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a1260daae..07de33b97 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -11,6 +11,18 @@ on: workflow_dispatch: +permissions: + actions: none + checks: none + contents: read + deployments: none + issues: none + packages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + jobs: lint: name: Lint diff --git a/.github/workflows/preview.yaml b/.github/workflows/preview.yaml index 31821fa55..317a7a3dc 100644 --- a/.github/workflows/preview.yaml +++ b/.github/workflows/preview.yaml @@ -5,6 +5,18 @@ on: branches: - main +permissions: + actions: none + checks: none + contents: read + deployments: none + issues: none + packages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + jobs: preview: name: Preview From 266cd3c1c9a8316d9a6957987329560fdc3919e7 Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Mon, 21 Jun 2021 10:16:17 -0700 Subject: [PATCH 2/2] Update .github/workflows/preview.yaml --- .github/workflows/preview.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/preview.yaml b/.github/workflows/preview.yaml index 317a7a3dc..54eb0fb76 100644 --- a/.github/workflows/preview.yaml +++ b/.github/workflows/preview.yaml @@ -12,7 +12,7 @@ permissions: deployments: none issues: none packages: none - pull-requests: none + pull-requests: write repository-projects: none security-events: none statuses: none