From 65b83e90d5ee79464dba0dc2b41d3da38c4f8d5c Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Thu, 4 Aug 2022 12:12:34 -0700 Subject: [PATCH] Add GitHub token permissions for workflows (#17781) Signed-off-by: Varun Sharma --- .github/workflows/codeql-analysis.yml | 7 +++++++ .github/workflows/createReminders.yml | 6 ++++++ .github/workflows/daily.yml | 12 ++++++++++++ .github/workflows/exp-json.yml | 6 ++++++ .github/workflows/markdownLink.yml | 3 +++ .github/workflows/markdownLinkDaily.yml | 3 +++ .github/workflows/processReminders.yml | 6 ++++++ .github/workflows/rebase.yml | 6 ++++++ 8 files changed, 49 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index aa201230f46..48ff5aad04c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,8 +14,15 @@ defaults: env: DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1 +permissions: + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/analyze to upload SARIF results name: Analyze runs-on: ubuntu-18.04 diff --git a/.github/workflows/createReminders.yml b/.github/workflows/createReminders.yml index b779e19d545..290141703d7 100644 --- a/.github/workflows/createReminders.yml +++ b/.github/workflows/createReminders.yml @@ -4,8 +4,14 @@ on: issue_comment: types: [created, edited] +permissions: + contents: read + jobs: reminder: + permissions: + issues: write # for agrc/create-reminder-action to set reminders on issues + pull-requests: write # for agrc/create-reminder-action to set reminders on PRs runs-on: ubuntu-latest steps: diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml index 5ba0945d229..dbc85f6ee5b 100644 --- a/.github/workflows/daily.yml +++ b/.github/workflows/daily.yml @@ -16,8 +16,14 @@ env: DOTNET_CLI_TELEMETRY_OPTOUT: 1 POWERSHELL_TELEMETRY_OPTOUT: 1 +permissions: + contents: read + jobs: update-dotnet-preview: + permissions: + contents: write # for peter-evans/create-pull-request to create branch + pull-requests: write # for peter-evans/create-pull-request to create a PR name: Update .NET preview timeout-minutes: 15 runs-on: windows-latest @@ -57,6 +63,9 @@ jobs: base: master branch: dotnet_update update-tpn: + permissions: + contents: write # for peter-evans/create-pull-request to create branch + pull-requests: write # for peter-evans/create-pull-request to create a PR name: Update Notices File timeout-minutes: 15 runs-on: windows-latest @@ -97,6 +106,9 @@ jobs: draft: false branch: update-cgmanifest update-cgmanifest: + permissions: + contents: write # for peter-evans/create-pull-request to create branch + pull-requests: write # for peter-evans/create-pull-request to create a PR name: Update cgmanifest timeout-minutes: 15 runs-on: windows-latest diff --git a/.github/workflows/exp-json.yml b/.github/workflows/exp-json.yml index cee56be1216..629ff0f55e4 100644 --- a/.github/workflows/exp-json.yml +++ b/.github/workflows/exp-json.yml @@ -16,6 +16,9 @@ env: DOTNET_CLI_TELEMETRY_OPTOUT: 1 POWERSHELL_TELEMETRY_OPTOUT: 1 +permissions: + contents: read + jobs: create-expjson: strategy: @@ -72,6 +75,9 @@ jobs: path: experimental-feature-*-new.json compare-expjson-files: + permissions: + contents: write # for peter-evans/create-pull-request to create branch + pull-requests: write # for peter-evans/create-pull-request to create a PR runs-on: ubuntu-latest name: Compare experimental json files and create PR needs: create-expjson diff --git a/.github/workflows/markdownLink.yml b/.github/workflows/markdownLink.yml index 5b33b7fe524..2c0796ac2d1 100644 --- a/.github/workflows/markdownLink.yml +++ b/.github/workflows/markdownLink.yml @@ -5,6 +5,9 @@ on: - 'release/**' name: Check links for modified files +permissions: + contents: read + jobs: markdown-link-check: runs-on: ubuntu-latest diff --git a/.github/workflows/markdownLinkDaily.yml b/.github/workflows/markdownLinkDaily.yml index 0fef5c3f499..7a4a1259a64 100644 --- a/.github/workflows/markdownLinkDaily.yml +++ b/.github/workflows/markdownLinkDaily.yml @@ -9,6 +9,9 @@ on: # At 13:00 UTC every day. - cron: '0 13 * * *' +permissions: + contents: read + jobs: markdown-link-check: runs-on: ubuntu-latest diff --git a/.github/workflows/processReminders.yml b/.github/workflows/processReminders.yml index 65322ebd7bf..c660788a620 100644 --- a/.github/workflows/processReminders.yml +++ b/.github/workflows/processReminders.yml @@ -5,8 +5,14 @@ on: - cron: '*/15 * * * *' workflow_dispatch: +permissions: + contents: read + jobs: reminder: + permissions: + issues: write # for agrc/reminder-action to set reminders on issues + pull-requests: write # for agrc/reminder-action to set reminders on PRs runs-on: ubuntu-latest steps: diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index ce4c83e390d..2ec027625b6 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -5,8 +5,14 @@ on: issue_comment: types: [created] name: Automatic Rebase +permissions: + contents: read + jobs: rebase: + permissions: + contents: write # for cirrus-actions/rebase to push code to rebase + pull-requests: write # for actions/github-script to create PR comment name: Rebase if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') runs-on: ubuntu-latest