From c6cfc3a1684067e92c5d9fbe5c67a45d009854f8 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Mon, 10 Jun 2024 08:59:48 -0700 Subject: [PATCH] [actions] improve default action permissions --- .github/workflows/latest-npm.yml | 3 +++ .github/workflows/lint.yml | 11 +++-------- .github/workflows/rebase.yml | 3 +++ .github/workflows/release.yml | 5 +++-- .github/workflows/require-allow-edits.yml | 3 +++ .github/workflows/shellcheck.yml | 9 +++------ .github/workflows/tests.yml | 5 +++++ .github/workflows/toc.yml | 3 +++ .github/workflows/windows-npm.yml | 3 +++ .gitignore | 3 +++ 10 files changed, 32 insertions(+), 16 deletions(-) diff --git a/.github/workflows/latest-npm.yml b/.github/workflows/latest-npm.yml index 8f3bc184d5..b368080704 100644 --- a/.github/workflows/latest-npm.yml +++ b/.github/workflows/latest-npm.yml @@ -2,6 +2,9 @@ name: 'Tests: `nvm install-latest-npm`' on: [pull_request, push] +permissions: + contents: read + jobs: matrix: runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index b0a61f6d21..3e915ba69c 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,10 +2,11 @@ name: 'Tests: linting' on: [pull_request, push] +permissions: + contents: read + jobs: eclint: - permissions: - contents: read runs-on: ubuntu-latest steps: - uses: step-security/harden-runner@v2 @@ -23,8 +24,6 @@ jobs: - run: npm run eclint dockerfile_lint: - permissions: - contents: read runs-on: ubuntu-latest steps: - uses: step-security/harden-runner@v2 @@ -44,8 +43,6 @@ jobs: - run: npm run dockerfile_lint doctoc: - permissions: - contents: read runs-on: ubuntu-latest steps: - uses: step-security/harden-runner@v2 @@ -63,8 +60,6 @@ jobs: - run: npm run doctoc:check test_naming: - permissions: - contents: read runs-on: ubuntu-latest steps: - uses: step-security/harden-runner@v2 diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index e7724aed0d..5cfc9c47c1 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -2,6 +2,9 @@ name: Automatic Rebase on: [pull_request_target] +permissions: + contents: read + jobs: _: permissions: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 346a1845c0..84fe2d8d0a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,10 +2,11 @@ name: 'Tests: release process' on: [pull_request, push] +permissions: + contents: read + jobs: release: - permissions: - contents: read runs-on: ubuntu-latest steps: - name: Harden Runner diff --git a/.github/workflows/require-allow-edits.yml b/.github/workflows/require-allow-edits.yml index efb6c495ad..13cafee69b 100644 --- a/.github/workflows/require-allow-edits.yml +++ b/.github/workflows/require-allow-edits.yml @@ -2,6 +2,9 @@ name: Require “Allow Edits” on: [pull_request_target] +permissions: + contents: read + jobs: _: permissions: diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index ed0f6140e2..353480925e 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -2,10 +2,11 @@ name: 'Tests: shellcheck' on: [pull_request, push] +permissions: + contents: read + jobs: shellcheck_matrix: - permissions: - contents: read runs-on: ubuntu-latest strategy: fail-fast: false @@ -52,8 +53,4 @@ jobs: needs: [shellcheck_matrix] runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: block - run: true diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 7480c337a2..60f7c05e0e 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -2,6 +2,9 @@ name: urchin tests on: [push] +permissions: + contents: read + jobs: tests: permissions: @@ -49,6 +52,8 @@ jobs: - run: make TERM=xterm-256color TEST_SUITE="${{ matrix.suite }}" SHELL="${{ matrix.shell }}" URCHIN="$(npx which urchin)" test-${{ matrix.shell }} nvm: + permissions: + contents: none name: 'all test suites, all shells' needs: [tests] runs-on: ubuntu-latest diff --git a/.github/workflows/toc.yml b/.github/workflows/toc.yml index 94c8f0dc4a..8772bccbb8 100644 --- a/.github/workflows/toc.yml +++ b/.github/workflows/toc.yml @@ -2,6 +2,9 @@ name: update readme TOC on: [push] +permissions: + contents: read + jobs: _: permissions: diff --git a/.github/workflows/windows-npm.yml b/.github/workflows/windows-npm.yml index 51234aeb50..6119f79c1d 100644 --- a/.github/workflows/windows-npm.yml +++ b/.github/workflows/windows-npm.yml @@ -2,6 +2,9 @@ name: 'Tests on Windows: `nvm install`' on: [pull_request, push] +permissions: + contents: read + env: NVM_INSTALL_GITHUB_REPO: ${{ github.repository }} NVM_INSTALL_VERSION: ${{ github.sha }} diff --git a/.gitignore b/.gitignore index fcf59f8039..cc3fca8b6b 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,6 @@ current npm-shrinkwrap.json package-lock.json yarn.lock + +# rust build output +target