diff options
| author | Alex <aleksandrosansan@gmail.com> | 2022-12-03 17:47:30 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-03 08:47:30 -0700 |
| commit | e2cea6121a7b7f82693c05f63921a977ccd9a411 (patch) | |
| tree | 12c23a74bb38614149311f34fcaf153e231175b0 | |
| parent | db2c0d4c91a952407ab7709d9ff5c86017e5753e (diff) | |
Harden GitHub Workflows security (#8664)
| -rw-r--r-- | .github/workflows/automation.yml | 1 | ||||
| -rw-r--r-- | .github/workflows/commands.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/openapi.yml | 5 | ||||
| -rw-r--r-- | .github/workflows/repo-stale.yaml | 1 |
4 files changed, 11 insertions, 0 deletions
diff --git a/.github/workflows/automation.yml b/.github/workflows/automation.yml index 0989df64b..2dc7fb5a3 100644 --- a/.github/workflows/automation.yml +++ b/.github/workflows/automation.yml @@ -7,6 +7,7 @@ on: pull_request_target: issue_comment: +permissions: {} jobs: label: name: Labeling diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml index a29519b29..f7fbc4706 100644 --- a/.github/workflows/commands.yml +++ b/.github/workflows/commands.yml @@ -9,6 +9,7 @@ on: - labeled - synchronize +permissions: {} jobs: rebase: name: Rebase @@ -34,6 +35,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.JF_BOT_TOKEN }} check-backport: + permissions: + contents: read + name: Check Backport if: ${{ ( github.event.issue.pull_request && contains(github.event.comment.body, '@jellyfin-bot check backport') ) || github.event.label.name == 'stable backport' || contains(github.event.pull_request.labels.*.name, 'stable backport' ) }} runs-on: ubuntu-latest diff --git a/.github/workflows/openapi.yml b/.github/workflows/openapi.yml index 390d140fd..a82579f1b 100644 --- a/.github/workflows/openapi.yml +++ b/.github/workflows/openapi.yml @@ -5,6 +5,8 @@ on: - master pull_request_target: +permissions: {} + jobs: openapi-head: name: OpenAPI - HEAD @@ -55,6 +57,9 @@ jobs: path: tests/Jellyfin.Server.Integration.Tests/bin/Release/net6.0/openapi.json openapi-diff: + permissions: + pull-requests: write # to create or update comment (peter-evans/create-or-update-comment) + name: OpenAPI - Difference if: ${{ github.event_name == 'pull_request_target' }} runs-on: ubuntu-latest diff --git a/.github/workflows/repo-stale.yaml b/.github/workflows/repo-stale.yaml index f7a77f02b..1c6fe1492 100644 --- a/.github/workflows/repo-stale.yaml +++ b/.github/workflows/repo-stale.yaml @@ -5,6 +5,7 @@ on: - cron: '30 1 * * *' workflow_dispatch: +permissions: {} jobs: stale: runs-on: ubuntu-latest |