GitHub Workflows security hardening (#3470)

* build: harden docker-publish.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * build: harden website.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * build: harden changesets.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * build: harden static-data.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> Signed-off-by: Alex <aleksandrosansan@gmail.com>
2024-12-30 22:34:10 -05:00 · 2022-11-12 08:42:01 +02:00 · 2022-11-12 08:42:01 +02:00 · 17984fa31b
commit 17984fa31b
parent bd440840c8
4 changed files with 19 additions and 0 deletions
--- a/.github/workflows/changesets.yml
+++ b/.github/workflows/changesets.yml
@ -12,6 +12,9 @@ env:
  CI: true
  PNPM_CACHE_FOLDER: .pnpm-store

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
  # Update package versions from changesets.
  version:
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@ -15,6 +15,10 @@ on:
      - 'master'
    tags:
      - 'v*'
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
  docker:
    runs-on: ubuntu-latest
--- a/.github/workflows/static-data.yml
+++ b/.github/workflows/static-data.yml
@ -10,6 +10,10 @@ on:
  # push:
  #   branches:
  #     - master
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
  prepare:
    name: Run script
--- a/.github/workflows/website.yml
+++ b/.github/workflows/website.yml
@ -9,8 +9,16 @@ on:
  schedule:
    - cron: '0 0 * * *' 

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
  build:
+    permissions:
+      contents: read  #  to fetch code (actions/checkout)
+      deployments: write
+      pull-requests: write  #  to comment on pull-requests
+
    runs-on: ubuntu-latest
    env:
      NODE_OPTIONS: --max_old_space_size=4096