From 0fbe2488eb8208def65fdad235d944d0f8e2710e Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 28 Sep 2022 20:17:33 +0300 Subject: [PATCH] workflows/*: add security hardening (#8518) --- .github/workflows/ci.yml | 3 +++ .github/workflows/mirror.yml | 4 ++++ .github/workflows/stale.yml | 5 +++++ 3 files changed, 12 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3b8d73d17..ee40af996 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,9 @@ name: CI on: ['push', 'pull_request'] +permissions: + contents: read # to fetch code (actions/checkout) + jobs: ci: runs-on: ubuntu-latest diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index 2b0f227b9..02ad369b2 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -4,8 +4,12 @@ on: push: branches: ['main'] +permissions: {} jobs: mirror: + permissions: + contents: write # to update branch + runs-on: ubuntu-latest steps: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 8acda7bbd..109afbaa0 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,8 +4,13 @@ on: schedule: - cron: '0 0 * * *' +permissions: {} jobs: stale: + permissions: + issues: write # to close stale issues (actions/stale) + pull-requests: write # to close stale PRs (actions/stale) + runs-on: ubuntu-latest steps: