Merge pull request #7023 from sashashura/patch-1

GitHub Workflows security hardening
2022-10-02 04:42:01 -04:00 · 2022-10-02 04:42:01 -04:00 · 87bbdd9f9b
parent f0cb420fe2 39d9a8fa18
commit 87bbdd9f9b
3 changed files with 10 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -3,6 +3,9 @@ on:
  pull_request:
  push:

+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
  test:
    strategy:
--- a/.github/workflows/dependency-graph.yml
+++ b/.github/workflows/dependency-graph.yml
@ -3,8 +3,12 @@ name: Submit Dependency Graph
 on:
  push:
    branches: [1.7.x] # default branch of the project
+permissions: {}
 jobs:
  submit-graph:
+    permissions:
+      contents: write # to submit the dependency graph
+
    name: Submit Dependency Graph
    runs-on: ubuntu-latest # or windows-latest, or macOS-latest
    steps:
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@ -5,6 +5,9 @@ on:
 #    # 08:00 UTC = 03:00 EST
 #    - cron:  '0 8 * * *'

+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
  deploy:
    strategy: