fix(CI): GitHub Action YAML Workflow now includes explicit allow-list…

… of permissions for less permissive GITHUB_TOKEN
edrlab · Mar 21, 2024 · 30b4f27 · 30b4f27
1 parent 4e6d70c
commit 30b4f27
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/.github/workflows/deploy b/.github/workflows/deploy
@@ -1,7 +1,23 @@
 name: Build with Hugo
 
 on: [push, pull_request]
-
+
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+    actions: none
+    checks: none
+    contents: write
+    deployments: none
+    id-token: none
+    issues: none
+    packages: none
+    pages: none
+    pull-requests: none
+    repository-projects: none
+    security-events: none
+    statuses: none
+
 jobs:
   deploy:
     runs-on: ubuntu-22.04

diff --git a/.github/workflows/deploy_docsy.yml b/.github/workflows/deploy_docsy.yml
@@ -5,6 +5,22 @@ on:
     branches:
       - main
 
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+    actions: none
+    checks: none
+    contents: write
+    deployments: none
+    id-token: none
+    issues: none
+    packages: none
+    pages: none
+    pull-requests: none
+    repository-projects: none
+    security-events: none
+    statuses: none
+
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch: