Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: add GitHub token permissions for workflows #43743

Merged
merged 1 commit into from
Jul 12, 2022
Merged

build: add GitHub token permissions for workflows #43743

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/authors.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:

workflow_dispatch:

permissions:
contents: read
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow might open a pull request. Is this setting correct?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The setting is correct because the credential used to open the PR is not the GITHUB_TOKEN. It is a different secret which has been explicitly setup called GH_USER_TOKEN.

node/.github/workflows/authors.yml

Line 26 in 19cc1e8

GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}


jobs:
authors_update:
if: github.repository == 'nodejs/node'
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/auto-start-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,13 @@ concurrency: ${{ github.workflow }}
env:
NODE_VERSION: lts/*

permissions:
contents: read

jobs:
get-prs-for-ci:
permissions:
pull-requests: read
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
outputs:
Expand All @@ -32,6 +37,9 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
start-ci:
permissions:
contents: read
pull-requests: write
needs: get-prs-for-ci
if: needs.get-prs-for-ci.outputs.numbers != ''
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/build-tarball.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare

permissions:
contents: read

jobs:
build-tarball:
if: github.event.pull_request.draft == false
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/build-windows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare

permissions:
contents: read

jobs:
build-windows:
if: github.event.pull_request.draft == false
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/close-stale-feature-requests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,14 @@ env:
[feature request management document](https://github.com/nodejs/node/blob/HEAD/doc/contributing/feature-request-management.md).
# yamllint enable

permissions:
contents: read

jobs:
stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
steps:
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/close-stalled.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,14 @@ env:
is still relevant, or to ping the collaborator who labelled it stalled if
you have any questions.

permissions:
contents: read

jobs:
stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
steps:
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/comment-labeled.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,14 @@ env:
If it should remain open, please leave a comment explaining why it should remain open.
FAST_TRACK_MESSAGE: Fast-track has been requested by @${{ github.actor }}. Please 👍 to approve.

permissions:
contents: read

jobs:
stale-comment:
permissions:
issues: write
pull-requests: write
if: github.repository == 'nodejs/node' && github.event.label.name == 'stalled'
runs-on: ubuntu-latest
steps:
Expand All @@ -23,6 +29,8 @@ jobs:
run: gh issue comment "$NUMBER" --repo ${{ github.repository }} --body "$STALE_MESSAGE"

fast-track:
permissions:
pull-requests: write
if: github.repository == 'nodejs/node' && github.event_name == 'pull_request_target' && github.event.label.name == 'fast-track'
runs-on: ubuntu-latest
steps:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/commit-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on: [pull_request]
env:
NODE_VERSION: lts/*

permissions:
contents: read

jobs:
lint-commit-message:
runs-on: ubuntu-latest
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/commit-queue.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,13 @@ concurrency: ${{ github.workflow }}
env:
NODE_VERSION: lts/*

permissions:
contents: read
Comment on lines +21 to +22
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we may not need contents permission at all for this workflow since we're using GH_USER_TOKEN to clone the repo – but I suppose it's easier to always have it at the top of each workflow file, it can't hurt on an open-source repo anyway.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the contents: read is not strictly needed here. Setting that at the workflow level helps if a new job is added to the workflow. In that case, the new job will have contents: read, which is a secure-by-default setting.


jobs:
get_mergeable_prs:
permissions:
pull-requests: read
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
outputs:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/coverage-linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare

permissions:
contents: read

jobs:
coverage-linux:
if: github.event.pull_request.draft == false
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/coverage-windows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare

permissions:
contents: read

jobs:
coverage-windows:
if: github.event.pull_request.draft == false
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/daily.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
env:
NODE_VERSION: lts/*

permissions:
contents: read

jobs:
build-lto:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/doc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ concurrency:
env:
NODE_VERSION: lts/*

permissions:
contents: read

jobs:
build-docs:
if: github.event.pull_request.draft == false
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/find-inactive-collaborators.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
env:
NODE_VERSION: lts/*

permissions:
contents: read

jobs:
find:
if: github.repository == 'nodejs/node'
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/find-inactive-tsc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
env:
NODE_VERSION: lts/*

permissions:
contents: read

jobs:
find:
if: github.repository == 'nodejs/node'
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/label-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
pull_request_target:
types: [opened]

permissions:
contents: read

jobs:
label:
runs-on: ubuntu-latest
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/license-builder.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,14 @@ on:
- cron: 0 0 * * 1
workflow_dispatch:

permissions:
contents: read

jobs:
update_license:
permissions:
contents: write # for gr2m/create-or-update-pull-request-action to push local changes
pull-requests: write # for gr2m/create-or-update-pull-request-action to create a PR
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
steps:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/linters.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ env:
PYTHON_VERSION: '3.10'
NODE_VERSION: lts/*

permissions:
contents: read

jobs:
lint-addon-docs:
if: github.event.pull_request.draft == false
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/notify-force-push.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
- main

name: Notify on Force Push
permissions:
contents: read

jobs:
slackNotification:
name: Slack Notification
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/test-asan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare

permissions:
contents: read

jobs:
test-asan:
if: github.event.pull_request.draft == false
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/test-internet.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare

permissions:
contents: read

jobs:
test-internet:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/test-linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare

permissions:
contents: read

jobs:
test-linux:
if: github.event.pull_request.draft == false
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/test-macos.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare

permissions:
contents: read

jobs:
test-macOS:
if: github.event.pull_request.draft == false
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/tools.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:

workflow_dispatch:

permissions:
contents: read

jobs:
tools-deps-update:
if: github.repository == 'nodejs/node'
Expand Down