From 133f219a4ab8e0fa08a7e308bd5915421d2598b9 Mon Sep 17 00:00:00 2001 From: Sam Yuan Date: Thu, 28 Nov 2024 16:07:40 +0800 Subject: [PATCH 1/2] [fix]: update gha permission settings Signed-off-by: Sam Yuan --- .github/workflows/commitMsg.yml | 4 ++-- .github/workflows/daily.yml | 2 ++ .github/workflows/developer_local.yml | 2 ++ .github/workflows/gosec.yml | 3 +++ .github/workflows/pre-commit-auto-update.yml | 2 ++ .github/workflows/pull_request.yml | 3 +++ .github/workflows/unit_test.yml | 2 +- .github/workflows/yamllint.yml | 2 ++ 8 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.github/workflows/commitMsg.yml b/.github/workflows/commitMsg.yml index 6d102c22b7..d309816580 100644 --- a/.github/workflows/commitMsg.yml +++ b/.github/workflows/commitMsg.yml @@ -2,6 +2,8 @@ name: Commit Message Check on: # yamllint disable-line rule:truthy pull_request: +permissions: read-all + jobs: check-commit-message: name: Check Commit Message @@ -12,5 +14,3 @@ jobs: - name: Check commit message uses: webiny/action-conventional-commits@v1.3.0 - with: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml index a1ff4b3187..c70e582a65 100644 --- a/.github/workflows/daily.yml +++ b/.github/workflows/daily.yml @@ -6,6 +6,8 @@ on: # yamllint disable-line rule:truthy schedule: - cron: 12 9 * * * +permissions: read-all + jobs: # daily go security gosec: diff --git a/.github/workflows/developer_local.yml b/.github/workflows/developer_local.yml index bc4e2c5ba5..0a92ff22d4 100644 --- a/.github/workflows/developer_local.yml +++ b/.github/workflows/developer_local.yml @@ -3,6 +3,8 @@ name: local dev env validation on: # yamllint disable-line rule:truthy workflow_call: +permissions: read-all + jobs: local_env: runs-on: ubuntu-latest diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml index de56a455ba..24fd88daf4 100644 --- a/.github/workflows/gosec.yml +++ b/.github/workflows/gosec.yml @@ -5,6 +5,9 @@ name: Security Scan on: # yamllint disable-line rule:truthy workflow_call: +permissions: + pull-requests: read + jobs: tests: runs-on: ubuntu-latest diff --git a/.github/workflows/pre-commit-auto-update.yml b/.github/workflows/pre-commit-auto-update.yml index 598ec477ee..543ef4ec86 100644 --- a/.github/workflows/pre-commit-auto-update.yml +++ b/.github/workflows/pre-commit-auto-update.yml @@ -4,6 +4,8 @@ on: # yamllint disable-line rule:truthy schedule: - cron: 0 0 1 * * +permissions: read-all + jobs: auto-update: runs-on: ubuntu-latest diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 8589c309f8..630c264ac8 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -8,6 +8,9 @@ on: # yamllint disable-line rule:truthy - enhancements/** - "*.md" +permissions: + pull-requests: read + jobs: c: uses: ./.github/workflows/c.yml diff --git a/.github/workflows/unit_test.yml b/.github/workflows/unit_test.yml index 6e0cdf3c47..9e3683c1c4 100644 --- a/.github/workflows/unit_test.yml +++ b/.github/workflows/unit_test.yml @@ -7,7 +7,7 @@ on: # yamllint disable-line rule:truthy permissions: pull-requests: write - contents: write + contents: read repository-projects: write packages: write diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml index 701e5229fd..5eca543b70 100644 --- a/.github/workflows/yamllint.yml +++ b/.github/workflows/yamllint.yml @@ -3,6 +3,8 @@ name: yamllint on: # yamllint disable-line rule:truthy workflow_call: +permissions: read-all + jobs: yamllint: runs-on: ubuntu-latest From 2ddabe27ca52c7795944ba4b66ab1998f64fe0de Mon Sep 17 00:00:00 2001 From: Sam Yuan Date: Thu, 28 Nov 2024 16:11:10 +0800 Subject: [PATCH 2/2] [fix]: fix with permissions for PR pipeline Signed-off-by: Sam Yuan --- .github/workflows/pull_request.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 630c264ac8..8589c309f8 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -8,9 +8,6 @@ on: # yamllint disable-line rule:truthy - enhancements/** - "*.md" -permissions: - pull-requests: read - jobs: c: uses: ./.github/workflows/c.yml