[openwrt/openwrt] build: harden GitHub workflow permissions

LEDE Commits lede-commits at lists.infradead.org
Sun Dec 4 07:37:20 PST 2022


ansuel pushed a commit to openwrt/openwrt.git, branch openwrt-21.02:
https://git.openwrt.org/3a9f927c2f74bce2f8b6c1fe654db3ef2cabae0a

commit 3a9f927c2f74bce2f8b6c1fe654db3ef2cabae0a
Author: Alex Low <aleksandrosansan at gmail.com>
AuthorDate: Mon Sep 19 12:20:37 2022 +0200

    build: harden GitHub workflow permissions
    
    Grant pull-requests write permission to the labeler workflow and
    read-only to everything else.
    
    Signed-off-by: Alex Low <aleksandrosansan at gmail.com>
    [ wrap to 80 columns and fix wrong author as requested by author itself ]
    Signed-off-by: Christian Marangi <ansuelsmth at gmail.com>
    (cherry picked from commit 715259940776843d8799bc39de8eb50eb764189b)
---
 .github/workflows/formal.yml  | 3 +++
 .github/workflows/kernel.yml  | 4 ++++
 .github/workflows/labeler.yml | 7 +++++++
 .github/workflows/tools.yml   | 3 +++
 4 files changed, 17 insertions(+)

diff --git a/.github/workflows/formal.yml b/.github/workflows/formal.yml
index 5046b5a180..1256481637 100644
--- a/.github/workflows/formal.yml
+++ b/.github/workflows/formal.yml
@@ -3,6 +3,9 @@ name: Test Formalities
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Test Formalities
diff --git a/.github/workflows/kernel.yml b/.github/workflows/kernel.yml
index 4f8c6b9317..62e0952f19 100644
--- a/.github/workflows/kernel.yml
+++ b/.github/workflows/kernel.yml
@@ -7,6 +7,10 @@ on:
       - 'include/kernel-*'
       - 'package/kernel/**'
       - 'target/linux/generic/**'
+
+permissions:
+  contents: read
+
 jobs:
   determine_targets:
     name: Set targets
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 6bcdf51a89..420617809b 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -2,8 +2,15 @@ name: 'Pull Request Labeler'
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   labeler:
+    permissions:
+      contents: read # to determine modified files (actions/labeler)
+      pull-requests: write # to add labels to PRs (actions/labeler)
+
     name: Pull Request Labeler
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml
index be967833cb..4e423fdd62 100644
--- a/.github/workflows/tools.yml
+++ b/.github/workflows/tools.yml
@@ -6,6 +6,9 @@ on:
       - 'tools/**'
       - '.github/workflows/tools.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: tools-${{ matrix.os }}




More information about the lede-commits mailing list