GitHub Workflows security hardening (#7629)

* build: harden push.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * build: harden deployment.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * build: harden pr.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> Signed-off-by: Alex <aleksandrosansan@gmail.com>
2025-07-31 07:00:06 +07:00 · 2022-09-27 14:10:18 +02:00
parent e21cac75b5
commit a68c17d876
3 changed files with 11 additions and 0 deletions
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@ -5,8 +5,12 @@ on:
    tags:
      - 'v*'

+permissions: {}
 jobs:
  deploy:
+    permissions:
+      contents: write # for release creation (svenstaro/upload-release-action)
+
    runs-on: ubuntu-latest

    steps:
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@ -2,6 +2,9 @@ name: Pull Request Tests

 on: [pull_request, workflow_dispatch]

+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
  testPR:
    runs-on: ubuntu-latest
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@ -2,8 +2,12 @@ name: Tests

 on: [push, workflow_dispatch]

+permissions: {}
 jobs:
  runPush:
+    permissions:
+      contents: write # for Update bundles
+
    runs-on: ubuntu-latest

    steps: