[actions] restrict permissions for GITHUB_TOKEN

2025-10-26 04:10:36 +08:00 · 2021-09-10 06:09:45 +00:00
parent 2dad0455ec
commit 59532c74c6
8 changed files with 32 additions and 0 deletions
--- a/.github/workflows/latest-npm.yml
+++ b/.github/workflows/latest-npm.yml
@@ -4,6 +4,8 @@ on: [pull_request, push]

 jobs:
  nodes:
+    permissions:
+      contents: read
    name: 'nvm install-latest-npm'
    runs-on: ubuntu-latest

@@ -44,6 +46,8 @@ jobs:
      - run: npm --version

  node:
+    permissions:
+      contents: none
    name: 'nvm install-latest-npm'
    needs: [nodes]
    runs-on: ubuntu-latest
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -4,6 +4,8 @@ on: [pull_request, push]

 jobs:
  eclint:
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
@@ -14,6 +16,8 @@ jobs:
      - run: npm run eclint

  dockerfile_lint:
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
@@ -24,6 +28,8 @@ jobs:
      - run: npm run dockerfile_lint

  doctoc:
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
@@ -34,6 +40,8 @@ jobs:
      - run: npm run doctoc:check

  test_naming:
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@@ -4,6 +4,8 @@ on: [pull_request_target]

 jobs:
  _:
+    permissions:
+      contents: write
    name: "Automatic Rebase"

    runs-on: ubuntu-latest
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,8 @@ on: [pull_request, push]

 jobs:
  release:
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
--- a/.github/workflows/require-allow-edits.yml
+++ b/.github/workflows/require-allow-edits.yml
@@ -4,6 +4,8 @@ on: [pull_request_target]

 jobs:
  _:
+    permissions:
+      pull-requests: read
    name: "Require “Allow Edits”"

    runs-on: ubuntu-latest
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -4,6 +4,8 @@ on: [pull_request, push]

 jobs:
  shellcheck_matrix:
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
@@ -32,6 +34,8 @@ jobs:
        run: shellcheck -s ${{ matrix.shell }} ${{ matrix.file }}

  shellcheck:
+      permissions:
+        contents: none
      needs: [shellcheck_matrix]
      runs-on: ubuntu-latest
      steps:
--- a/.github/workflows/toc.yml
+++ b/.github/workflows/toc.yml
@@ -4,6 +4,8 @@ on: [push]

 jobs:
  _:
+    permissions:
+      contents: write
    name: "update readme TOC"

    runs-on: ubuntu-latest
--- a/.github/workflows/windows-npm.yml
+++ b/.github/workflows/windows-npm.yml
@@ -9,6 +9,8 @@ env:
 jobs:
  msys_fail_install:
    # Default installation does not work due to npm_config_prefix set to C:\npm\prefix
+    permissions:
+      contents: none
    name: 'MSYS fail prefix nvm install'
    runs-on: windows-latest
    steps:
@@ -20,6 +22,8 @@ jobs:
          ! nvm install --lts

  msys_matrix:
+    permissions:
+      contents: none
    name: 'MSYS nvm install'
    runs-on: windows-latest
    strategy:
@@ -43,6 +47,8 @@ jobs:
          nvm install ${{ matrix.npm-node-version }}

  cygwin_matrix:
+    permissions:
+      contents: none
    name: 'Cygwin nvm install'
    runs-on: windows-latest
    steps:
@@ -111,6 +117,8 @@ jobs:
          nvm install ${{ matrix.npm-node-version }}

  nvm_windows:
+      permissions:
+        contents: none
      needs: [wsl_matrix, cygwin_matrix, msys_matrix, msys_fail_install]
      runs-on: ubuntu-latest
      steps: