[openwrt/openwrt] build: harden GitHub workflow permissions
LEDE Commits
lede-commits at lists.infradead.org
Tue Nov 29 13:06:12 PST 2022
hauke pushed a commit to openwrt/openwrt.git, branch openwrt-22.03:
https://git.openwrt.org/008e9a335dc32c4662aa56eb67487ddd777f2147
commit 008e9a335dc32c4662aa56eb67487ddd777f2147
Author: Alex Low <aleksandrosansan at gmail.com>
AuthorDate: Mon Sep 19 12:20:37 2022 +0200
build: harden GitHub workflow permissions
Grant pull-requests write permission to the labeler workflow and
read-only to everything else.
Signed-off-by: Alex Low <aleksandrosansan at gmail.com>
[ wrap to 80 columns and fix wrong author as requested by author itself ]
Signed-off-by: Christian Marangi <ansuelsmth at gmail.com>
(cherry picked from commit 715259940776843d8799bc39de8eb50eb764189b)
---
.github/workflows/formal.yml | 3 +++
.github/workflows/labeler.yml | 7 +++++++
.github/workflows/tools.yml | 3 +++
3 files changed, 13 insertions(+)
diff --git a/.github/workflows/formal.yml b/.github/workflows/formal.yml
index 5046b5a180..1256481637 100644
--- a/.github/workflows/formal.yml
+++ b/.github/workflows/formal.yml
@@ -3,6 +3,9 @@ name: Test Formalities
on:
pull_request:
+permissions:
+ contents: read
+
jobs:
build:
name: Test Formalities
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 6bcdf51a89..420617809b 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -2,8 +2,15 @@ name: 'Pull Request Labeler'
on:
- pull_request_target
+permissions:
+ contents: read
+
jobs:
labeler:
+ permissions:
+ contents: read # to determine modified files (actions/labeler)
+ pull-requests: write # to add labels to PRs (actions/labeler)
+
name: Pull Request Labeler
runs-on: ubuntu-latest
steps:
diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml
index 76cbd30db7..e089e26193 100644
--- a/.github/workflows/tools.yml
+++ b/.github/workflows/tools.yml
@@ -5,6 +5,9 @@ on:
paths:
- 'tools/**'
+permissions:
+ contents: read
+
jobs:
build:
name: Build tools on ${{ matrix.os }}
More information about the lede-commits
mailing list