Skip to content

Commit f8a3f23

Browse files
committed
feat: harden workflows with permissions and persist-credentials
Refs: RATY-350
1 parent 4181e25 commit f8a3f23

6 files changed

Lines changed: 53 additions & 0 deletions

File tree

.github/workflows/ci-django-api.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,9 @@ on:
4747
required: false
4848
workflow_dispatch:
4949

50+
permissions:
51+
contents: read
52+
5053
env:
5154
SECRET_KEY: topsecret123
5255
DATABASE_URL: ${{ inputs.use-postgis == true && 'postgis' || 'postgres' }}://test_user:test_password@localhost/test_db
@@ -60,6 +63,8 @@ jobs:
6063
steps:
6164
- name: Checkout
6265
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
66+
with:
67+
persist-credentials: false
6368
- name: Run commitlint
6469
uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
6570
with:
@@ -71,6 +76,8 @@ jobs:
7176
steps:
7277
- name: Checkout
7378
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
79+
with:
80+
persist-credentials: false
7481
- name: Setup Python ${{ inputs.python-version }}
7582
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
7683
with:
@@ -126,6 +133,7 @@ jobs:
126133
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
127134
with:
128135
fetch-depth: 1
136+
persist-credentials: false
129137
- name: Install system packages
130138
run: |
131139
sudo apt-get update
@@ -188,6 +196,7 @@ jobs:
188196
# Required by SonarQube Cloud for blame information
189197
with:
190198
fetch-depth: 0
199+
persist-credentials: false
191200
- name: Restore coverage.xml
192201
uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
193202
with:

.github/workflows/ci-node.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,13 +57,18 @@ on:
5757
required: true
5858
workflow_dispatch:
5959

60+
permissions:
61+
contents: read
62+
6063
jobs:
6164
commitlint:
6265
name: Check commit messages
6366
runs-on: ubuntu-latest
6467
steps:
6568
- name: Checkout
6669
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
70+
with:
71+
persist-credentials: false
6772
- name: Run commitlint
6873
uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
6974
with:
@@ -78,6 +83,8 @@ jobs:
7883
working-directory: ${{ inputs.working-directory }}
7984
steps:
8085
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
86+
with:
87+
persist-credentials: false
8188
- name: Use Node.js ${{ inputs.node-version }} with dependency path
8289
if: ${{ inputs.working-directory != '.' }}
8390
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
@@ -146,6 +153,8 @@ jobs:
146153
working-directory: ${{ inputs.working-directory }}
147154
steps:
148155
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
156+
with:
157+
persist-credentials: false
149158
- name: Use Node.js ${{ inputs.node-version }} with dependency path
150159
if: ${{ inputs.working-directory != '.' }}
151160
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
@@ -203,6 +212,7 @@ jobs:
203212
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
204213
with:
205214
fetch-depth: 0
215+
persist-credentials: false
206216
# Coverage path logic (keep in sync with tests job's cache/save step):
207217
# Resolves the effective directory (app-directory if set, else working-directory),
208218
# then prefixes 'coverage' with '<dir>/' when running in a subdirectory.

.github/workflows/ci-npm-publish.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,9 @@ on:
4343
type: boolean
4444
default: false
4545

46+
permissions:
47+
contents: read
48+
4649
jobs:
4750
publish-npm-stable:
4851
runs-on: ubuntu-latest
@@ -51,6 +54,8 @@ jobs:
5154
id-token: write
5255
steps:
5356
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
57+
with:
58+
persist-credentials: false
5459
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
5560
with:
5661
node-version: ${{ inputs.node-version }}

.github/workflows/ci-pnpm-node.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,13 +65,18 @@ on:
6565
required: true
6666
workflow_dispatch:
6767

68+
permissions:
69+
contents: read
70+
6871
jobs:
6972
commitlint:
7073
name: Check commit messages
7174
runs-on: ubuntu-latest
7275
steps:
7376
- name: Checkout
7477
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
78+
with:
79+
persist-credentials: false
7580
- name: Run commitlint
7681
uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
7782
with:
@@ -86,6 +91,8 @@ jobs:
8691
working-directory: ${{ inputs.working-directory }}
8792
steps:
8893
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
94+
with:
95+
persist-credentials: false
8996

9097
- name: Setup pnpm
9198
uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5
@@ -158,6 +165,8 @@ jobs:
158165
working-directory: ${{ inputs.working-directory }}
159166
steps:
160167
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
168+
with:
169+
persist-credentials: false
161170

162171
- name: Setup pnpm
163172
uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5
@@ -215,6 +224,7 @@ jobs:
215224
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
216225
with:
217226
fetch-depth: 0
227+
persist-credentials: false
218228

219229
# Coverage path logic (keep in sync with tests job's cache/save step):
220230
# Resolves the effective directory (app-directory if set, else working-directory),

.github/workflows/ci-python-library.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,9 @@ on:
3535
description: "GITHUB_TOKEN. Required if enable-sonar is set to true."
3636
required: false
3737

38+
permissions:
39+
contents: read
40+
3841
jobs:
3942
commitlint:
4043
name: Check commit messages
@@ -43,6 +46,8 @@ jobs:
4346
steps:
4447
- name: Checkout
4548
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
49+
with:
50+
persist-credentials: false
4651

4752
- name: Run commitlint
4853
uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
@@ -55,6 +60,8 @@ jobs:
5560
steps:
5661
- name: Checkout
5762
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
63+
with:
64+
persist-credentials: false
5865

5966
- name: Setup Python ${{ inputs.python-version }}
6067
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -75,6 +82,8 @@ jobs:
7582

7683
steps:
7784
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
85+
with:
86+
persist-credentials: false
7887

7988
- name: Set up Python ${{ matrix.python_version }}
8089
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -119,6 +128,7 @@ jobs:
119128
with:
120129
# Required by SonarQube Cloud
121130
fetch-depth: 0
131+
persist-credentials: false
122132

123133
- name: Download coverage reports
124134
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1

.github/workflows/ci-uv-django-api.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,9 @@ on:
4747
required: false
4848
workflow_dispatch:
4949

50+
permissions:
51+
contents: read
52+
5053
env:
5154
SECRET_KEY: topsecret123
5255
DATABASE_URL: ${{ inputs.use-postgis == true && 'postgis' || 'postgres' }}://test_user:test_password@localhost/test_db
@@ -60,6 +63,8 @@ jobs:
6063
steps:
6164
- name: Checkout
6265
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
66+
with:
67+
persist-credentials: false
6368
- name: Run commitlint
6469
uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
6570
with:
@@ -71,6 +76,8 @@ jobs:
7176
steps:
7277
- name: Checkout
7378
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
79+
with:
80+
persist-credentials: false
7481
- name: Setup Python ${{ inputs.python-version }}
7582
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
7683
with:
@@ -126,6 +133,7 @@ jobs:
126133
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
127134
with:
128135
fetch-depth: 1
136+
persist-credentials: false
129137
- name: Install system packages
130138
run: |
131139
sudo apt-get update
@@ -177,6 +185,7 @@ jobs:
177185
# Required by SonarQube Cloud for blame information
178186
with:
179187
fetch-depth: 0
188+
persist-credentials: false
180189
- name: Restore coverage.xml
181190
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
182191
with:

0 commit comments

Comments
 (0)