Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[core] Harden GitHub Actions permissions #6396

Merged
merged 1 commit into from
Oct 15, 2022
Merged

[core] Harden GitHub Actions permissions #6396

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/check-if-pr-has-label.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ jobs:
test-label-applied:
# Tests that label is added on the PR
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: mnajdova/[email protected]
with:
Expand Down
4 changes: 0 additions & 4 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,14 @@ jobs:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: ['javascript', 'typescript']
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

steps:
- name: Checkout repository
uses: actions/checkout@v3

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
Expand All @@ -34,7 +31,6 @@ jobs:

# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/l10n.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ jobs:
# Tests dev-only scripts across all supported dev environments
update-l10n:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- run: echo "${{ github.actor }}"
- uses: actions/checkout@v3
Expand All @@ -22,11 +25,8 @@ jobs:
env:
# Don't need playwright in this job
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: yarn l10n --report
env:
# Don't need playwright in this job
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git remote -v
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/maintenance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
name: 'Maintenance'
name: Maintenance

on:
# So that PRs touching the same files as the push are updated
push:
Expand All @@ -17,6 +18,9 @@ on:
jobs:
main:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: check if prs are dirty
uses: eps1lon/actions-label-merge-conflict@releases/2.x
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/issue-mark-duplicate.yml → .github/workflows/mark-duplicate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Issue Mark Duplicate
name: Mark duplicate

on:
issue_comment:
Expand All @@ -7,6 +7,10 @@ on:
jobs:
mark-duplicate:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
pull-requests: write
steps:
- name: mark-duplicate
uses: actions-cool/issues-helper@v3
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/no-response.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ on:
jobs:
noResponse:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these changes broke the workflow:

steps:
- uses: lee-dohm/[email protected]
with:
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/support-stackoverflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
# Configuration for support-requests - https://github.com/dessant/support-requests
name: 'Support Stack Overflow'
name: Support Stack Overflow

on:
issues:
types: [labeled, unlabeled, reopened]

permissions:
issues: write

jobs:
mark-support:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- uses: dessant/support-requests@v2
with:
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/vale-action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@
name: reviewdog
name: Vale action

on: [pull_request]

jobs:
vale:
name: runner / vale
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v3
- uses: errata-ai/vale-action@reviewdog
Expand Down