NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commitafacb07

authored

chore: tighten GitHub workflow permissions (#15282)

1 parentdf6afd3 commitafacb07Copy full SHA for afacb07

File tree

7 files changed

+41

-17

lines changed

.github/workflows

7 files changed

+41

-17

lines changed

`‎.github/workflows/docker-base.yaml`

Lines changed: 5 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -22,17 +22,18 @@ on:`
`22`	`22`
`23`	`23`	`permissions:`
`24`	`24`	`contents:read`
`25`		`-# Necessary to push docker images to ghcr.io.`
`26`		`-packages:write`
`27`		`-# Necessary for depot.dev authentication.`
`28`		`-id-token:write`
`29`	`25`
`30`	`26`	`# Avoid running multiple jobs for the same commit.`
`31`	`27`	`concurrency:`
`32`	`28`	`group:${{ github.workflow }}-${{ github.ref }}-docker-base`
`33`	`29`
`34`	`30`	`jobs:`
`35`	`31`	`build:`
	`32`	`+permissions:`
	`33`	`+# Necessary for depot.dev authentication.`
	`34`	`+id-token:write`
	`35`	`+# Necessary to push docker images to ghcr.io.`
	`36`	`+packages:write`
`36`	`37`	`runs-on:ubuntu-latest`
`37`	`38`	`if:github.repository_owner == 'coder'`
`38`	`39`	`steps:`

`‎.github/workflows/nightly-gauntlet.yaml`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,10 @@ on:`
`6`	`6`	`# Every day at midnight`
`7`	`7`	`-cron:"0 0 * * *"`
`8`	`8`	`workflow_dispatch:`
	`9`	`+`
	`10`	`+permissions:`
	`11`	`+contents:read`
	`12`	`+`
`9`	`13`	`jobs:`
`10`	`14`	`go-race:`
`11`	`15`	`# While GitHub's toaster runners are likelier to flake, we want consistency`

`‎.github/workflows/pr-cleanup.yaml`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,12 +8,12 @@ on:`
`8`	`8`	`description:"PR number"`
`9`	`9`	`required:true`
`10`	`10`
`11`		`-permissions:`
`12`		`-packages:write`
`13`		`-`
`14`	`11`	`jobs:`
`15`	`12`	`cleanup:`
`16`	`13`	`runs-on:"ubuntu-latest"`
	`14`	`+permissions:`
	`15`	`+# Necessary to delete docker images from ghcr.io.`
	`16`	`+packages:write`
`17`	`17`	`steps:`
`18`	`18`	`-name:Harden Runner`
`19`	`19`	`uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1`

`‎.github/workflows/pr-deploy.yaml`

Lines changed: 5 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,8 +30,6 @@ env:`
`30`	`30`
`31`	`31`	`permissions:`
`32`	`32`	`contents:read`
`33`		`-packages:write`
`34`		`-pull-requests:write# needed for commenting on PRs`
`35`	`33`
`36`	`34`	`jobs:`
`37`	`35`	`check_pr:`
`@@ -171,6 +169,8 @@ jobs:`
`171`	`169`	`needs:get_info`
`172`	`170`	`if:needs.get_info.outputs.BUILD == 'true' \|\| github.event.inputs.deploy == 'true'`
`173`	`171`	`runs-on:"ubuntu-latest"`
	`172`	`+permissions:`
	`173`	`+pull-requests:write# needed for commenting on PRs`
`174`	`174`	`steps:`
`175`	`175`	`-name:Harden Runner`
`176`	`176`	`uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1`
`@@ -205,6 +205,9 @@ jobs:`
`205`	`205`	`# Run build job only if there are changes in the files that we care about or if the workflow is manually triggered with --build flag`
`206`	`206`	`if:needs.get_info.outputs.BUILD == 'true'`
`207`	`207`	`runs-on:${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' \|\| 'ubuntu-latest' }}`
	`208`	`+permissions:`
	`209`	`+# Necessary to push docker images to ghcr.io.`
	`210`	`+packages:write`
`208`	`211`	`# This concurrency only cancels build jobs if a new build is triggred. It will avoid cancelling the current deployemtn in case of docs chnages.`
`209`	`212`	`concurrency:`
`210`	`213`	`group:build-${{ github.workflow }}-${{ github.ref }}-${{ needs.get_info.outputs.BUILD }}`

`‎.github/workflows/release-validation.yaml`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,9 @@ on:`
`5`	`5`	`tags:`
`6`	`6`	`-"v*"`
`7`	`7`
	`8`	`+permissions:`
	`9`	`+contents:read`
	`10`	`+`
`8`	`11`	`jobs:`
`9`	`12`	`network-performance:`
`10`	`13`	`runs-on:ubuntu-latest`

`‎.github/workflows/release.yaml`

Lines changed: 8 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,12 +18,7 @@ on:`
`18`	`18`	`default:false`
`19`	`19`
`20`	`20`	`permissions:`
`21`		`-# Required to publish a release`
`22`		`-contents:write`
`23`		`-# Necessary to push docker images to ghcr.io.`
`24`		`-packages:write`
`25`		`-# Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)`
`26`		`-id-token:write`
	`21`	`+contents:read`
`27`	`22`
`28`	`23`	`concurrency:${{ github.workflow }}-${{ github.ref }}`
`29`	`24`
`@@ -40,6 +35,13 @@ jobs:`
`40`	`35`	`release:`
`41`	`36`	`name:Build and publish`
`42`	`37`	`runs-on:${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' \|\| 'ubuntu-latest' }}`
	`38`	`+permissions:`
	`39`	`+# Required to publish a release`
	`40`	`+contents:write`
	`41`	`+# Necessary to push docker images to ghcr.io.`
	`42`	`+packages:write`
	`43`	`+# Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)`
	`44`	`+id-token:write`
`43`	`45`	`env:`
`44`	`46`	`# Necessary for Docker manifest`
`45`	`47`	`DOCKER_CLI_EXPERIMENTAL:"enabled"`

`‎.github/workflows/stale.yaml`

Lines changed: 13 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,16 +1,21 @@`
`1`		`-name:Stale Issue,Banch and Old Workflows Cleanup`
	`1`	`+name:Stale Issue,Branch and Old Workflows Cleanup`
`2`	`2`	`on:`
`3`	`3`	`schedule:`
`4`	`4`	`# Every day at midnight`
`5`	`5`	`-cron:"0 0 * * *"`
`6`	`6`	`workflow_dispatch:`
	`7`	`+`
	`8`	`+permissions:`
	`9`	`+contents:read`
	`10`	`+`
`7`	`11`	`jobs:`
`8`	`12`	`issues:`
`9`	`13`	`runs-on:ubuntu-latest`
`10`	`14`	`permissions:`
	`15`	`+# Needed to close issues.`
`11`	`16`	`issues:write`
	`17`	`+# Needed to close PRs.`
`12`	`18`	`pull-requests:write`
`13`		`-actions:write`
`14`	`19`	`steps:`
`15`	`20`	`-name:Harden Runner`
`16`	`21`	`uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1`
`@@ -86,6 +91,9 @@ jobs:`
`86`	`91`
`87`	`92`	`branches:`
`88`	`93`	`runs-on:ubuntu-latest`
	`94`	`+permissions:`
	`95`	`+# Needed to delete branches.`
	`96`	`+contents:write`
`89`	`97`	`steps:`
`90`	`98`	`-name:Harden Runner`
`91`	`99`	`uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1`
`@@ -105,6 +113,9 @@ jobs:`
`105`	`113`	`exclude_open_pr_branches:true`
`106`	`114`	`del_runs:`
`107`	`115`	`runs-on:ubuntu-latest`
	`116`	`+permissions:`
	`117`	`+# Needed to delete workflow runs.`
	`118`	`+actions:write`
`108`	`119`	`steps:`
`109`	`120`	`-name:Harden Runner`
`110`	`121`	`uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitafacb07

File tree

7 files changed

7 files changed

`‎.github/workflows/docker-base.yaml`

`‎.github/workflows/nightly-gauntlet.yaml`

`‎.github/workflows/pr-cleanup.yaml`

`‎.github/workflows/pr-deploy.yaml`

`‎.github/workflows/release-validation.yaml`

`‎.github/workflows/release.yaml`

`‎.github/workflows/stale.yaml`

0 commit comments