From 9d9e9e5c53e2fcf340cc5f1d1889e9561c30daa7 Mon Sep 17 00:00:00 2001 From: Alex Date: Sun, 25 Sep 2022 19:13:42 +0200 Subject: [PATCH 1/3] build: harden dependency-graph.yml permissions Signed-off-by: Alex --- .github/workflows/dependency-graph.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/dependency-graph.yml b/.github/workflows/dependency-graph.yml index 7caea8278..0ab49c9b3 100644 --- a/.github/workflows/dependency-graph.yml +++ b/.github/workflows/dependency-graph.yml @@ -3,8 +3,12 @@ name: Submit Dependency Graph on: push: branches: [1.7.x] # default branch of the project +permissions: {} jobs: submit-graph: + permissions: + contents: write # to submit the dependency graph + name: Submit Dependency Graph runs-on: ubuntu-latest # or windows-latest, or macOS-latest steps: From 459310bc9b95720db647fb99ee0b57d1c83da95a Mon Sep 17 00:00:00 2001 From: Alex Date: Sun, 25 Sep 2022 19:14:47 +0200 Subject: [PATCH 2/3] build: harden ci.yml permissions Signed-off-by: Alex --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d717c8d25..6f74b063d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,6 +3,9 @@ on: pull_request: push: +permissions: + contents: read # to fetch code (actions/checkout) + jobs: test: strategy: From 39d9a8fa180a53c15fc629d5c9e5b16a62a18bec Mon Sep 17 00:00:00 2001 From: Alex Date: Sun, 25 Sep 2022 19:15:26 +0200 Subject: [PATCH 3/3] build: harden nightly.yml permissions Signed-off-by: Alex --- .github/workflows/nightly.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 2897d641f..b7664a12f 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -5,6 +5,9 @@ on: # # 08:00 UTC = 03:00 EST # - cron: '0 8 * * *' +permissions: + contents: read # to fetch code (actions/checkout) + jobs: deploy: strategy: