summaryrefslogtreecommitdiffstats
path: root/.github/workflows
diff options
context:
space:
mode:
authorNick Brassel <nick@tzarc.org>2022-12-23 10:41:16 +1100
committerGitHub <noreply@github.com>2022-12-23 10:41:16 +1100
commitf75ac6042ed042c329ab3d1c9cec46b4c4b81918 (patch)
tree4b5c834d84bb7752e459243a2ec5893a64f3f5a9 /.github/workflows
parentb8a9de206d38f0e047c2f07bca398d6fe53b76a9 (diff)
Lock down workflow permissions. (#19406)
Co-authored-by: Joel Challis <git@zvecr.com>
Diffstat (limited to '.github/workflows')
-rw-r--r--.github/workflows/api.yml3
-rw-r--r--.github/workflows/auto_approve.yml2
-rw-r--r--.github/workflows/auto_tag.yml3
-rw-r--r--.github/workflows/cli.yml3
-rw-r--r--.github/workflows/develop_update.yml3
-rw-r--r--.github/workflows/docs.yml3
-rw-r--r--.github/workflows/feature_branch_update.yml3
-rw-r--r--.github/workflows/format.yml3
-rw-r--r--.github/workflows/format_push.yml3
-rw-r--r--.github/workflows/labeler.yml4
-rw-r--r--.github/workflows/lint.yml3
-rw-r--r--.github/workflows/stale.yml9
-rw-r--r--.github/workflows/unit_test.yml3
13 files changed, 41 insertions, 4 deletions
diff --git a/.github/workflows/api.yml b/.github/workflows/api.yml
index 0cff4f6e75..2abfe696fd 100644
--- a/.github/workflows/api.yml
+++ b/.github/workflows/api.yml
@@ -1,5 +1,8 @@
name: Update API Data
+permissions:
+ contents: read
+
on:
push:
branches:
diff --git a/.github/workflows/auto_approve.yml b/.github/workflows/auto_approve.yml
index dea3f017dd..1db1c49a9b 100644
--- a/.github/workflows/auto_approve.yml
+++ b/.github/workflows/auto_approve.yml
@@ -1,5 +1,7 @@
name: Automatic Approve
+permissions: {}
+
on:
schedule:
- cron: "*/5 * * * *"
diff --git a/.github/workflows/auto_tag.yml b/.github/workflows/auto_tag.yml
index d6fcbe48e4..d1776c058d 100644
--- a/.github/workflows/auto_tag.yml
+++ b/.github/workflows/auto_tag.yml
@@ -1,5 +1,8 @@
name: Essential files modified
+permissions:
+ contents: write
+
on:
push:
branches:
diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
index 72f2ea293a..aeca9679cb 100644
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -1,5 +1,8 @@
name: CLI CI
+permissions:
+ contents: read
+
on:
push:
branches:
diff --git a/.github/workflows/develop_update.yml b/.github/workflows/develop_update.yml
index 18ca84162b..9c041c42ec 100644
--- a/.github/workflows/develop_update.yml
+++ b/.github/workflows/develop_update.yml
@@ -1,5 +1,8 @@
name: Update develop after master merge
+permissions:
+ contents: write
+
on:
push:
branches:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 1497739a0b..841573cf30 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,5 +1,8 @@
name: Generate Docs
+permissions:
+ contents: write
+
on:
push:
branches:
diff --git a/.github/workflows/feature_branch_update.yml b/.github/workflows/feature_branch_update.yml
index 90cd85e355..bfc4c7d65e 100644
--- a/.github/workflows/feature_branch_update.yml
+++ b/.github/workflows/feature_branch_update.yml
@@ -1,5 +1,8 @@
name: Update feature branches after develop merge
+permissions:
+ contents: write
+
on:
push:
branches:
diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
index b6ce4063fe..782530f62e 100644
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@@ -1,5 +1,8 @@
name: PR Lint Format
+permissions:
+ contents: read
+
on:
pull_request:
paths:
diff --git a/.github/workflows/format_push.yml b/.github/workflows/format_push.yml
index 910bba9a4e..5469ab0faa 100644
--- a/.github/workflows/format_push.yml
+++ b/.github/workflows/format_push.yml
@@ -1,5 +1,8 @@
name: Lint Format
+permissions:
+ contents: read
+
on:
push:
branches:
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 3b99a8f43e..95f58ff003 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -1,5 +1,9 @@
name: "Pull Request Labeler"
+permissions:
+ contents: read
+ pull-requests: write
+
on:
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review, locked]
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 5b8a45f26b..8e1dbcaea2 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,5 +1,8 @@
name: PR Lint keyboards
+permissions:
+ contents: read
+
on:
pull_request:
paths:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 297af8e19c..1c5b3e1197 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,13 +1,14 @@
name: 'Close stale issues and PRs'
-on:
- schedule:
- - cron: '30 1 * * *'
- workflow_dispatch:
permissions:
issues: write
pull-requests: write
+on:
+ schedule:
+ - cron: '30 1 * * *'
+ workflow_dispatch:
+
jobs:
stale:
runs-on: ubuntu-latest
diff --git a/.github/workflows/unit_test.yml b/.github/workflows/unit_test.yml
index c8373441ff..75ed84177b 100644
--- a/.github/workflows/unit_test.yml
+++ b/.github/workflows/unit_test.yml
@@ -1,5 +1,8 @@
name: Unit Tests
+permissions:
+ contents: read
+
on:
push:
branches: