Skip to content

Commit 3c9eacd

Browse files
miparnisarimiparnisari
authored
Merge pull request #2353 from authzed/tighten-token-scopes
tighten github workflow scopes
2 parents 3566ae0 + 099b0b7 commit 3c9eacd

9 files changed

+25
-7
lines changed

.github/workflows/build-test.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ on: # yamllint disable-line rule:truthy
1010
merge_group:
1111
types:
1212
- "checks_requested"
13+
permissions:
14+
contents: "read"
1315
env:
1416
DOCKERHUB_PUBLIC_ACCESS_TOKEN: "dckr_pat_8AEETZWxu8f7FvJUk9NrpyX_ZEQ"
1517
DOCKERHUB_PUBLIC_USER: "spicedbgithubactions"

.github/workflows/cla.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ on: # yamllint disable-line rule:truthy
1212
merge_group:
1313
types:
1414
- "checks_requested"
15+
permissions:
16+
contents: "read"
1517
jobs:
1618
cla:
1719
name: "Check Signature"

.github/workflows/labeler.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ on: # yamllint disable-line rule:truthy
55
merge_group:
66
types:
77
- "checks_requested"
8+
permissions:
9+
contents: "read"
810
jobs:
911
triage:
1012
runs-on: "depot-ubuntu-24.04-small"

.github/workflows/lint.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ on: # yamllint disable-line rule:truthy
1010
merge_group:
1111
types:
1212
- "checks_requested"
13+
permissions:
14+
contents: "read"
1315
jobs:
1416
go-license-check:
1517
name: "License Check"

.github/workflows/nightly.yaml

+4-2
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,13 @@ on: # yamllint disable-line rule:truthy
55
branches:
66
- "main"
77
permissions:
8-
contents: "write"
9-
packages: "write"
8+
contents: "read"
109
jobs:
1110
goreleaser:
1211
runs-on: "depot-ubuntu-24.04-4"
12+
permissions:
13+
contents: "write"
14+
packages: "write" # publish to GHCR
1315
steps:
1416
- uses: "actions/checkout@v4"
1517
with:

.github/workflows/release-windows.yaml

+4-2
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,13 @@ on: # yamllint disable-line rule:truthy
55
tags:
66
- "*"
77
permissions:
8-
contents: "write"
9-
packages: "write"
8+
contents: "read"
109
jobs:
1110
release-windows:
1211
runs-on: "windows-latest"
12+
permissions:
13+
contents: "write"
14+
packages: "write" # publish to GHCR
1315
steps:
1416
- uses: "actions/checkout@v4"
1517
with:

.github/workflows/release.yaml

+4-2
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,13 @@ on: # yamllint disable-line rule:truthy
66
- "*"
77
workflow_dispatch:
88
permissions:
9-
contents: "write"
10-
packages: "write"
9+
contents: "read"
1110
jobs:
1211
goreleaser:
1312
runs-on: "depot-ubuntu-24.04-4"
13+
permissions:
14+
contents: "write"
15+
packages: "write" # publish to GHCR
1416
steps:
1517
- uses: "actions/checkout@v4"
1618
with:

.github/workflows/security.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ on: # yamllint disable-line rule:truthy
1010
merge_group:
1111
types:
1212
- "checks_requested"
13+
permissions:
14+
contents: "read"
1315
env:
1416
DOCKERHUB_PUBLIC_ACCESS_TOKEN: "dckr_pat_8AEETZWxu8f7FvJUk9NrpyX_ZEQ"
1517
DOCKERHUB_PUBLIC_USER: "spicedbgithubactions"

.github/workflows/wasm.yaml

+3-1
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,13 @@ on: # yamllint disable-line rule:truthy
44
release:
55
types: ["created"]
66
permissions:
7-
contents: "write"
7+
contents: "read"
88
jobs:
99
build:
1010
name: "Build WASM"
1111
runs-on: "depot-ubuntu-24.04-small"
12+
permissions:
13+
contents: "write"
1214
steps:
1315
- uses: "actions/checkout@v4"
1416
with:

0 commit comments

Comments
 (0)