From a1f1acfbf9425d24d946cabe0af3ee718444ba0e Mon Sep 17 00:00:00 2001 From: mhmdanas Date: Sun, 3 Jul 2022 20:38:51 +0300 Subject: [PATCH] Use minimum required permissions for GitHub workflows This reduces the attack surface if the workflows are ever compromised. --- .github/workflows/ci.yml | 14 +++++++++++++- .github/workflows/image-minimizer.yml | 4 ++++ .github/workflows/no-response.yml | 4 ++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2448e0add..d9342e72a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,6 +31,10 @@ on: jobs: build-and-test-jvm: runs-on: ubuntu-latest + + permissions: + contents: read + steps: - uses: actions/checkout@v3 - uses: gradle/wrapper-validation-action@v1 @@ -64,6 +68,10 @@ jobs: matrix: # api-level 19 is min sdk, but throws errors related to desugaring api-level: [ 21, 29 ] + + permissions: + contents: read + steps: - uses: actions/checkout@v3 @@ -81,7 +89,7 @@ jobs: # workaround to emulator bug: https://github.com/ReactiveCircus/android-emulator-runner/issues/160 emulator-build: 7425822 script: ./gradlew connectedCheck --stacktrace - + - name: Upload test report when tests fail # because the printed out stacktrace (console) is too short, see also #7553 uses: actions/upload-artifact@v3 if: failure() @@ -91,6 +99,10 @@ jobs: sonar: runs-on: ubuntu-latest + + permissions: + contents: read + steps: - uses: actions/checkout@v3 with: diff --git a/.github/workflows/image-minimizer.yml b/.github/workflows/image-minimizer.yml index c6ab6d5b3..b8bf9e1d2 100644 --- a/.github/workflows/image-minimizer.yml +++ b/.github/workflows/image-minimizer.yml @@ -6,6 +6,10 @@ on: issues: types: [opened, edited] +permissions: + issues: write + pull-requests: write + jobs: try-minimize: runs-on: ubuntu-latest diff --git a/.github/workflows/no-response.yml b/.github/workflows/no-response.yml index 54e749dc0..6a4a8a61a 100644 --- a/.github/workflows/no-response.yml +++ b/.github/workflows/no-response.yml @@ -9,6 +9,10 @@ on: # Run daily at midnight. - cron: '0 0 * * *' +permissions: + issues: write + pull-requests: write + jobs: noResponse: runs-on: ubuntu-latest