From: neilnaveen <neilnaveen@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: [PR PATCH] chore: Set permissions for GitHub actions
Date: Sun, 19 Jun 2022 03:58:33 +0200 [thread overview]
Message-ID: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-37612@inbox.vuxu.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 1057 bytes --]
There is a new pull request by neilnaveen against master on the void-packages repository
https://github.com/turrisxyz/void-packages Pinned-Dependencies-GitHub
https://github.com/void-linux/void-packages/pull/37612
chore: Set permissions for GitHub actions
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
A patch file from https://github.com/void-linux/void-packages/pull/37612.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-Pinned-Dependencies-GitHub-37612.patch --]
[-- Type: text/x-diff, Size: 2037 bytes --]
From 820caf32c6ba775d62912780073c88ab6cbc8963 Mon Sep 17 00:00:00 2001
From: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
Date: Sun, 19 Jun 2022 01:58:29 +0000
Subject: [PATCH] chore: Set permissions for GitHub actions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
---
.github/workflows/build.yaml | 3 +++
.github/workflows/stale.yml | 6 ++++++
2 files changed, 9 insertions(+)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index bb05364b5e74..df60eb0a5775 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -14,6 +14,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
# Lint changed templates.
xlint:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 160897fedef1..5597cf00eaf9 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -6,8 +6,14 @@ on:
schedule:
- cron: '30 1 * * *'
+permissions:
+ contents: read
+
jobs:
stale:
+ permissions:
+ issues: write # for actions/stale to close stale issues
+ pull-requests: write # for actions/stale to close stale PRs
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v4
next reply other threads:[~2022-06-19 1:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-19 1:58 neilnaveen [this message]
2022-06-19 2:16 ` [PR REVIEW] " classabbyamp
2022-06-19 2:24 ` classabbyamp
2022-06-19 2:31 ` classabbyamp
2022-06-25 22:25 ` skovati
2022-07-03 0:46 ` [PR PATCH] [Closed]: " the-maldridge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-37612@inbox.vuxu.org \
--to=neilnaveen@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).