ci: Set permissions for GitHub actions

Restrict the GitHub token permissions only to the required ones; this way,
 even if the attackers will succeed in compromising your workflow,
 they won’t be able to do much.

- Included permissions for the action.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
This commit is contained in:
naveen 2022-05-01 01:00:30 +00:00 committed by Madhu Rajanna
parent b1a0f42b31
commit 2672fad90a
11 changed files with 37 additions and 0 deletions

View File

@ -5,6 +5,9 @@ on:
pull_request:
branches:
- '*'
permissions:
contents: read
jobs:
codespell:
name: multi-arch-build

View File

@ -7,6 +7,9 @@ on:
pull_request:
branches:
- '*'
permissions:
contents: read
jobs:
codespell:
name: codespell

View File

@ -5,6 +5,9 @@ on:
pull_request:
branches:
- '*'
permissions:
contents: read
jobs:
commitlint:
name: commitlint

View File

@ -5,6 +5,9 @@ on:
pull_request:
branches:
- '*'
permissions:
contents: read
jobs:
go-test:
name: go-test

View File

@ -5,6 +5,9 @@ on:
pull_request:
branches:
- '*'
permissions:
contents: read
jobs:
golangci-lint:
name: golangci-lint

View File

@ -5,6 +5,9 @@ on:
pull_request:
branches:
- '*'
permissions:
contents: read
jobs:
lint-extras:
name: lint-extras

View File

@ -5,6 +5,9 @@ on:
pull_request:
branches:
- '*'
permissions:
contents: read
jobs:
mod-check:
name: mod-check

View File

@ -9,6 +9,9 @@ on:
- devel
# Push events to branches matching refs/heads/release-v*
- 'release-v*'
permissions:
contents: read
jobs:
push:
name: Publish artifacts

View File

@ -5,6 +5,10 @@ on:
schedule:
# Run the retest action every 30 minutes
- cron: "30 * * * *"
permissions:
contents: read
jobs:
retest:
runs-on: ubuntu-latest

View File

@ -7,8 +7,14 @@ on:
# Run the stalebot every day at 9pm UTC
- cron: "00 21 * * *"
# yamllint disable rule:line-length
permissions:
contents: read
jobs:
stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
runs-on: ubuntu-18.04
if: github.repository == 'ceph/ceph-csi'
steps:

View File

@ -5,6 +5,9 @@ on:
pull_request:
branches: [devel]
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest