From 3f90e2a8ccd1384f87225f74c06c37edf119025b Mon Sep 17 00:00:00 2001 From: Laukik Date: Sun, 27 Oct 2024 00:55:05 +0530 Subject: [PATCH] chore(OSSF): update token permissions to improve ossf scorecard fix: update npm start script to run locally revert changes for npm start and remove packages write permission --- .github/workflows/ci.yml | 5 +++-- .github/workflows/codeql.yml | 6 ++++++ .github/workflows/dependency-review.yml | 4 ++++ .github/workflows/lint.yml | 7 ++++++- .github/workflows/npm.yml | 5 +++++ .github/workflows/scorecard.yml | 6 ++++-- 6 files changed, 28 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 96d34193..0afb57fc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,10 @@ on: branches: [ main ] permissions: + contents: read pull-requests: write + actions: read + statuses: write jobs: build: @@ -78,5 +81,3 @@ jobs: wait-on: "http://localhost:3000" wait-on-timeout: 120 run: npm run cypress:run - - diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d3dfacbb..2b9cdc7e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,12 @@ on: schedule: - cron: '25 10 * * 1' +permissions: + security-events: write + contents: read + actions: read + statuses: write + jobs: analyze: name: Analyze diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index aa041d99..a606b49a 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -8,6 +8,10 @@ permissions: jobs: dependency-review: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: - name: 'Checkout Repository' uses: actions/checkout@v4 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 69c2ecd5..82d14da9 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,6 +2,11 @@ name: Code Cleanliness on: [pull_request] +permissions: + contents: read + pull-requests: none + actions: read + env: # environment variables (available in any part of the action) NODE_VERSION: 18 @@ -26,4 +31,4 @@ jobs: - name: Code Linting run: | npm run lint - npm run lint --workspaces --if-present \ No newline at end of file + npm run lint --workspaces --if-present diff --git a/.github/workflows/npm.yml b/.github/workflows/npm.yml index 44a3c4a7..84a55bfb 100644 --- a/.github/workflows/npm.yml +++ b/.github/workflows/npm.yml @@ -2,6 +2,11 @@ name: Publish to NPM on: release: types: [published] + +permissions: + contents: read + actions: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 7a61e926..29a15924 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -14,8 +14,10 @@ on: push: branches: [ "main" ] -# Declare default permissions as read only. -permissions: read-all +permissions: + contents: read + security-events: write + id-token: write jobs: analysis: