Merge pull request #191 from cisagov/improvement/github_tokenn_polp

Explicitly define permissions of `GITHUB_TOKEN` in our GitHub Actions workflows
cisagov · Oct 30, 2024 · 971602a · 971602a
2 parents ff221ba + 8a77a8b
commit 971602a
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -30,6 +30,8 @@ env:
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of
@@ -54,6 +56,9 @@ jobs:
   lint:
     needs:
       - diagnostics
+    permissions:
+      # actions/checkout needs this to fetch code
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1

diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
@@ -14,6 +14,8 @@ permissions:
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of