jeans/operating-system
jeans/operating-system
1
0
Fork 0
mirror of https://github.com/home-assistant/operating-system.git synced 2025-07-27 15:06:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Set restrictive GitHub Action permissions (#1985)

Browse Source 
* chore: Set permissions for GitHub actions

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

* Remove global permissions which are set implicitly

With restrictive settings in the global GitHub Action permission settings
those permissions are given implicitly.

Co-authored-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
Co-authored-by: Joakim Sørensen <hi@ludeeus.dev>
Co-authored-by: Stefan Agner <stefan@agner.ch>
This commit is contained in:
Stefan Agner 2022-06-24 09:46:02 -07:00
parent da4ba283bb
commit fb5851099e
No known key found for this signature in database
GPG Key ID: AE01353D1E44747D
4 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/dev.yml vendored
View File

@ -12,6 +12,9 @@ jobs:
if: ${{ github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'run-dev-build') }} if: ${{ github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'run-dev-build') }}
name: Prepare build name: Prepare build
runs-on: [ "ubuntu-20.04" ] runs-on: [ "ubuntu-20.04" ]
permissions:
contents: read
pull-requests: read
outputs: outputs:
version_main: ${{ steps.version_main.outputs.version_main }} version_main: ${{ steps.version_main.outputs.version_main }}
version_dev: ${{ steps.version_dev.outputs.version_dev }}${{ steps.version_pr.outputs.version_pr }} version_dev: ${{ steps.version_dev.outputs.version_dev }}${{ steps.version_pr.outputs.version_pr }}

3
.github/workflows/release-drafter.yml vendored
View File

@ -8,6 +8,9 @@ on:
jobs: jobs:
update_release_draft: update_release_draft:
permissions:
contents: write # for release-drafter/release-drafter to create a github release
pull-requests: read # for release-drafter/release-drafter to read PR content and labels
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: release-drafter/release-drafter@v5 - uses: release-drafter/release-drafter@v5

2
.github/workflows/release.yml vendored
View File

@ -44,6 +44,8 @@ jobs:
return { "board": boards } return { "board": boards }
build: build:
permissions:
contents: write # for actions/upload-release-asset to upload release asset
name: Release build for ${{ matrix.board.id }} name: Release build for ${{ matrix.board.id }}
needs: validate_release needs: validate_release
strategy: strategy:

3
.github/workflows/stale.yml vendored
View File

@ -8,6 +8,9 @@ on:
jobs: jobs:
stale: stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# The 90 day stale policy # The 90 day stale policy