ci: set minimal permissions to workflows (#7070)

* ci: set minimal permissions to workflows Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * Fix trailing whitespace on playwright-update.yml Co-authored-by: Michał Krassowski <5832902+krassowski@users.noreply.github.com> --------- Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Co-authored-by: Michał Krassowski <5832902+krassowski@users.noreply.github.com>
2025-02-23 12:49:41 +08:00 · 2023-09-25 05:45:23 -03:00 · 2023-09-25 05:45:23 -03:00 · 5a8c3ad313
commit 5a8c3ad313
parent e43da4a739
11 changed files with 29 additions and 7 deletions
--- a/.github/workflows/auto_author_assign.yml
+++ b/.github/workflows/auto_author_assign.yml
@ -6,10 +6,12 @@ on:
    types: [opened, reopened]

 permissions:
-  pull-requests: write
+  contents: read

 jobs:
  assign-author:
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
    steps:
      - uses: toshimaru/auto-author-assign@v1.6.2
--- a/.github/workflows/binder.yml
+++ b/.github/workflows/binder.yml
@ -3,6 +3,9 @@ on:
  pull_request_target:
    types: [opened]

+permissions:
+  contents: read
+
 jobs:
  binder:
    runs-on: ubuntu-latest
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -8,7 +8,7 @@ on:
    - cron: '0 0 * * *'

 permissions:
-  contents: write
+  contents: read

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
--- a/.github/workflows/buildutils.yml
+++ b/.github/workflows/buildutils.yml
@ -13,6 +13,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  versioning:
    runs-on: ubuntu-latest
--- a/.github/workflows/check-release.yml
+++ b/.github/workflows/check-release.yml
@ -5,7 +5,7 @@ on:
  pull_request:

 permissions:
-  contents: write
+  contents: read

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
--- a/.github/workflows/enforce-label.yml
+++ b/.github/workflows/enforce-label.yml
@ -1,5 +1,8 @@
 name: Enforce PR label

+permissions:
+  contents: read
+
 on:
  pull_request:
    types: [labeled, unlabeled, opened, edited, synchronize]
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@ -5,12 +5,14 @@ on:
    - cron: '0 0 * * *'

 permissions:
-  issues: write
-  pull-requests: write
+  contents: read

 jobs:
  lock:
    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
    steps:
      - uses: dessant/lock-threads@v4
        with:
--- a/.github/workflows/playwright-update.yml
+++ b/.github/workflows/playwright-update.yml
@ -5,13 +5,14 @@ on:
    types: [created, edited]

 permissions:
-  contents: write
-  pull-requests: write
+  contents: read

 jobs:
  update-snapshots:
    if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'update playwright snapshots') }}
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # Required by actions/update-snapshots
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/prep-release.yml
+++ b/.github/workflows/prep-release.yml
@ -19,6 +19,8 @@ on:
        description: 'Use PRs with activity since the last stable git tag'
        required: false
        type: boolean
+permissions:
+  contents: read
 jobs:
  prep_release:
    runs-on: ubuntu-latest
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@ -12,6 +12,9 @@ on:
        description: 'Comma separated list of steps to skip'
        required: false

+permissions:
+  contents: read
+
 jobs:
  publish_release:
    runs-on: ubuntu-latest
--- a/.github/workflows/ui-tests.yml
+++ b/.github/workflows/ui-tests.yml
@ -9,6 +9,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  build:
    name: Build