ci: Set permissions for GitHub actions

Restrict the GitHub token permissions only to the required ones; this way,
 even if the attackers will succeed in compromising your workflow,
 they won’t be able to do much.

- Included permissions for the action.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
This commit is contained in:
naveen 2022-05-01 01:00:30 +00:00 committed by Madhu Rajanna
parent b1a0f42b31
commit 2672fad90a
11 changed files with 37 additions and 0 deletions

View File

@ -5,6 +5,9 @@ on:
pull_request: pull_request:
branches: branches:
- '*' - '*'
permissions:
contents: read
jobs: jobs:
codespell: codespell:
name: multi-arch-build name: multi-arch-build

View File

@ -7,6 +7,9 @@ on:
pull_request: pull_request:
branches: branches:
- '*' - '*'
permissions:
contents: read
jobs: jobs:
codespell: codespell:
name: codespell name: codespell

View File

@ -5,6 +5,9 @@ on:
pull_request: pull_request:
branches: branches:
- '*' - '*'
permissions:
contents: read
jobs: jobs:
commitlint: commitlint:
name: commitlint name: commitlint

View File

@ -5,6 +5,9 @@ on:
pull_request: pull_request:
branches: branches:
- '*' - '*'
permissions:
contents: read
jobs: jobs:
go-test: go-test:
name: go-test name: go-test

View File

@ -5,6 +5,9 @@ on:
pull_request: pull_request:
branches: branches:
- '*' - '*'
permissions:
contents: read
jobs: jobs:
golangci-lint: golangci-lint:
name: golangci-lint name: golangci-lint

View File

@ -5,6 +5,9 @@ on:
pull_request: pull_request:
branches: branches:
- '*' - '*'
permissions:
contents: read
jobs: jobs:
lint-extras: lint-extras:
name: lint-extras name: lint-extras

View File

@ -5,6 +5,9 @@ on:
pull_request: pull_request:
branches: branches:
- '*' - '*'
permissions:
contents: read
jobs: jobs:
mod-check: mod-check:
name: mod-check name: mod-check

View File

@ -9,6 +9,9 @@ on:
- devel - devel
# Push events to branches matching refs/heads/release-v* # Push events to branches matching refs/heads/release-v*
- 'release-v*' - 'release-v*'
permissions:
contents: read
jobs: jobs:
push: push:
name: Publish artifacts name: Publish artifacts

View File

@ -5,6 +5,10 @@ on:
schedule: schedule:
# Run the retest action every 30 minutes # Run the retest action every 30 minutes
- cron: "30 * * * *" - cron: "30 * * * *"
permissions:
contents: read
jobs: jobs:
retest: retest:
runs-on: ubuntu-latest runs-on: ubuntu-latest

View File

@ -7,8 +7,14 @@ on:
# Run the stalebot every day at 9pm UTC # Run the stalebot every day at 9pm UTC
- cron: "00 21 * * *" - cron: "00 21 * * *"
# yamllint disable rule:line-length # yamllint disable rule:line-length
permissions:
contents: read
jobs: jobs:
stale: stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
runs-on: ubuntu-18.04 runs-on: ubuntu-18.04
if: github.repository == 'ceph/ceph-csi' if: github.repository == 'ceph/ceph-csi'
steps: steps:

View File

@ -5,6 +5,9 @@ on:
pull_request: pull_request:
branches: [devel] branches: [devel]
permissions:
contents: read
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest