From 3d0f7637eb0d7ebb4cce6962b5589fa9c1430b5d Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Tue, 12 Jul 2022 14:50:46 -0700 Subject: [PATCH] build: add GitHub token permissions for workflows Signed-off-by: Varun Sharma PR-URL: https://github.com/nodejs/node/pull/43743 Reviewed-By: Antoine du Hamel Reviewed-By: Rich Trott --- .github/workflows/authors.yml | 3 +++ .github/workflows/auto-start-ci.yml | 8 ++++++++ .github/workflows/build-tarball.yml | 3 +++ .github/workflows/build-windows.yml | 3 +++ .github/workflows/close-stale-feature-requests.yml | 6 ++++++ .github/workflows/close-stalled.yml | 6 ++++++ .github/workflows/comment-labeled.yml | 8 ++++++++ .github/workflows/commit-lint.yml | 3 +++ .github/workflows/commit-queue.yml | 5 +++++ .github/workflows/coverage-linux.yml | 3 +++ .github/workflows/coverage-windows.yml | 3 +++ .github/workflows/daily.yml | 3 +++ .github/workflows/doc.yml | 3 +++ .github/workflows/find-inactive-collaborators.yml | 3 +++ .github/workflows/find-inactive-tsc.yml | 3 +++ .github/workflows/label-pr.yml | 3 +++ .github/workflows/license-builder.yml | 6 ++++++ .github/workflows/linters.yml | 3 +++ .github/workflows/notify-force-push.yml | 3 +++ .github/workflows/test-asan.yml | 3 +++ .github/workflows/test-internet.yml | 3 +++ .github/workflows/test-linux.yml | 3 +++ .github/workflows/test-macos.yml | 3 +++ .github/workflows/tools.yml | 3 +++ 24 files changed, 93 insertions(+) diff --git a/.github/workflows/authors.yml b/.github/workflows/authors.yml index 80d6b0ab22f..e33089ea252 100644 --- a/.github/workflows/authors.yml +++ b/.github/workflows/authors.yml @@ -6,6 +6,9 @@ on: workflow_dispatch: +permissions: + contents: read + jobs: authors_update: if: github.repository == 'nodejs/node' diff --git a/.github/workflows/auto-start-ci.yml b/.github/workflows/auto-start-ci.yml index ed5606a58f1..98f562fd00b 100644 --- a/.github/workflows/auto-start-ci.yml +++ b/.github/workflows/auto-start-ci.yml @@ -13,8 +13,13 @@ concurrency: ${{ github.workflow }} env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: get-prs-for-ci: + permissions: + pull-requests: read if: github.repository == 'nodejs/node' runs-on: ubuntu-latest outputs: @@ -32,6 +37,9 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} start-ci: + permissions: + contents: read + pull-requests: write needs: get-prs-for-ci if: needs.get-prs-for-ci.outputs.numbers != '' runs-on: ubuntu-latest diff --git a/.github/workflows/build-tarball.yml b/.github/workflows/build-tarball.yml index 52e3ac97c68..4509450172f 100644 --- a/.github/workflows/build-tarball.yml +++ b/.github/workflows/build-tarball.yml @@ -31,6 +31,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: build-tarball: if: github.event.pull_request.draft == false diff --git a/.github/workflows/build-windows.yml b/.github/workflows/build-windows.yml index 1bcb929de59..3e7ec807a34 100644 --- a/.github/workflows/build-windows.yml +++ b/.github/workflows/build-windows.yml @@ -26,6 +26,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: build-windows: if: github.event.pull_request.draft == false diff --git a/.github/workflows/close-stale-feature-requests.yml b/.github/workflows/close-stale-feature-requests.yml index c815b9acbae..834c4c84c28 100644 --- a/.github/workflows/close-stale-feature-requests.yml +++ b/.github/workflows/close-stale-feature-requests.yml @@ -28,8 +28,14 @@ env: [feature request management document](https://github.com/nodejs/node/blob/HEAD/doc/contributing/feature-request-management.md). # yamllint enable +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs if: github.repository == 'nodejs/node' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/close-stalled.yml b/.github/workflows/close-stalled.yml index 347b22bd70c..509d79056f9 100644 --- a/.github/workflows/close-stalled.yml +++ b/.github/workflows/close-stalled.yml @@ -9,8 +9,14 @@ env: is still relevant, or to ping the collaborator who labelled it stalled if you have any questions. +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs if: github.repository == 'nodejs/node' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/comment-labeled.yml b/.github/workflows/comment-labeled.yml index 5c529000a63..5f59a48bb5a 100644 --- a/.github/workflows/comment-labeled.yml +++ b/.github/workflows/comment-labeled.yml @@ -11,8 +11,14 @@ env: If it should remain open, please leave a comment explaining why it should remain open. FAST_TRACK_MESSAGE: Fast-track has been requested by @${{ github.actor }}. Please 👍 to approve. +permissions: + contents: read + jobs: stale-comment: + permissions: + issues: write + pull-requests: write if: github.repository == 'nodejs/node' && github.event.label.name == 'stalled' runs-on: ubuntu-latest steps: @@ -23,6 +29,8 @@ jobs: run: gh issue comment "$NUMBER" --repo ${{ github.repository }} --body "$STALE_MESSAGE" fast-track: + permissions: + pull-requests: write if: github.repository == 'nodejs/node' && github.event_name == 'pull_request_target' && github.event.label.name == 'fast-track' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml index 1863a79ab17..738a034aecb 100644 --- a/.github/workflows/commit-lint.yml +++ b/.github/workflows/commit-lint.yml @@ -5,6 +5,9 @@ on: [pull_request] env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: lint-commit-message: runs-on: ubuntu-latest diff --git a/.github/workflows/commit-queue.yml b/.github/workflows/commit-queue.yml index d8189f85e8a..ac57fbb0e01 100644 --- a/.github/workflows/commit-queue.yml +++ b/.github/workflows/commit-queue.yml @@ -18,8 +18,13 @@ concurrency: ${{ github.workflow }} env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: get_mergeable_prs: + permissions: + pull-requests: read if: github.repository == 'nodejs/node' runs-on: ubuntu-latest outputs: diff --git a/.github/workflows/coverage-linux.yml b/.github/workflows/coverage-linux.yml index 5e8115a9245..abd69801f60 100644 --- a/.github/workflows/coverage-linux.yml +++ b/.github/workflows/coverage-linux.yml @@ -29,6 +29,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: coverage-linux: if: github.event.pull_request.draft == false diff --git a/.github/workflows/coverage-windows.yml b/.github/workflows/coverage-windows.yml index 287872d79f3..d9c5bfb58d6 100644 --- a/.github/workflows/coverage-windows.yml +++ b/.github/workflows/coverage-windows.yml @@ -31,6 +31,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: coverage-windows: if: github.event.pull_request.draft == false diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml index aabc566f544..f14bde4c7fb 100644 --- a/.github/workflows/daily.yml +++ b/.github/workflows/daily.yml @@ -8,6 +8,9 @@ on: env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: build-lto: runs-on: ubuntu-latest diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml index 474a8dd7eac..72abb16ad50 100644 --- a/.github/workflows/doc.yml +++ b/.github/workflows/doc.yml @@ -16,6 +16,9 @@ concurrency: env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: build-docs: if: github.event.pull_request.draft == false diff --git a/.github/workflows/find-inactive-collaborators.yml b/.github/workflows/find-inactive-collaborators.yml index 7445dd8ca84..ce47c0a1dde 100644 --- a/.github/workflows/find-inactive-collaborators.yml +++ b/.github/workflows/find-inactive-collaborators.yml @@ -10,6 +10,9 @@ on: env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: find: if: github.repository == 'nodejs/node' diff --git a/.github/workflows/find-inactive-tsc.yml b/.github/workflows/find-inactive-tsc.yml index 389a6d1e0f5..2f6afec4227 100644 --- a/.github/workflows/find-inactive-tsc.yml +++ b/.github/workflows/find-inactive-tsc.yml @@ -10,6 +10,9 @@ on: env: NODE_VERSION: lts/* +permissions: + contents: read + jobs: find: if: github.repository == 'nodejs/node' diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml index 58e9b226dab..922a9359f5e 100644 --- a/.github/workflows/label-pr.yml +++ b/.github/workflows/label-pr.yml @@ -4,6 +4,9 @@ on: pull_request_target: types: [opened] +permissions: + contents: read + jobs: label: runs-on: ubuntu-latest diff --git a/.github/workflows/license-builder.yml b/.github/workflows/license-builder.yml index 790bab9e397..3c966da1d5b 100644 --- a/.github/workflows/license-builder.yml +++ b/.github/workflows/license-builder.yml @@ -6,8 +6,14 @@ on: - cron: 0 0 * * 1 workflow_dispatch: +permissions: + contents: read + jobs: update_license: + permissions: + contents: write # for gr2m/create-or-update-pull-request-action to push local changes + pull-requests: write # for gr2m/create-or-update-pull-request-action to create a PR if: github.repository == 'nodejs/node' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index c9873d188a8..1b5c9e8f9ba 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -17,6 +17,9 @@ env: PYTHON_VERSION: '3.10' NODE_VERSION: lts/* +permissions: + contents: read + jobs: lint-addon-docs: if: github.event.pull_request.draft == false diff --git a/.github/workflows/notify-force-push.yml b/.github/workflows/notify-force-push.yml index 32876584edb..69aacc8524f 100644 --- a/.github/workflows/notify-force-push.yml +++ b/.github/workflows/notify-force-push.yml @@ -4,6 +4,9 @@ on: - main name: Notify on Force Push +permissions: + contents: read + jobs: slackNotification: name: Slack Notification diff --git a/.github/workflows/test-asan.yml b/.github/workflows/test-asan.yml index b345eded201..ba30449e90b 100644 --- a/.github/workflows/test-asan.yml +++ b/.github/workflows/test-asan.yml @@ -33,6 +33,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: test-asan: if: github.event.pull_request.draft == false diff --git a/.github/workflows/test-internet.yml b/.github/workflows/test-internet.yml index 75f508bfe01..297ceea987a 100644 --- a/.github/workflows/test-internet.yml +++ b/.github/workflows/test-internet.yml @@ -24,6 +24,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: test-internet: runs-on: ubuntu-latest diff --git a/.github/workflows/test-linux.yml b/.github/workflows/test-linux.yml index b2fa9e0a0cb..4cc09f22c25 100644 --- a/.github/workflows/test-linux.yml +++ b/.github/workflows/test-linux.yml @@ -26,6 +26,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: test-linux: if: github.event.pull_request.draft == false diff --git a/.github/workflows/test-macos.yml b/.github/workflows/test-macos.yml index f342dbfa0f1..5f93730d666 100644 --- a/.github/workflows/test-macos.yml +++ b/.github/workflows/test-macos.yml @@ -32,6 +32,9 @@ env: PYTHON_VERSION: '3.10' FLAKY_TESTS: dontcare +permissions: + contents: read + jobs: test-macOS: if: github.event.pull_request.draft == false diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml index 77a55732881..e58f59ef78a 100644 --- a/.github/workflows/tools.yml +++ b/.github/workflows/tools.yml @@ -6,6 +6,9 @@ on: workflow_dispatch: +permissions: + contents: read + jobs: tools-update: if: github.repository == 'nodejs/node'