From 00ba2f9a46763389cfea922391c0b1c00cc6baba Mon Sep 17 00:00:00 2001 From: Ashish Kurmi Date: Wed, 7 Sep 2022 21:27:16 -0700 Subject: [PATCH 1/2] ci: add minimum GitHub token permissions for workflows Signed-off-by: Ashish Kurmi --- .github/workflows/buf-lint.yml | 3 +++ .github/workflows/buf.yml | 3 +++ .github/workflows/codeql-analysis.yml | 3 +++ .github/workflows/funcbench.yml | 3 +++ .github/workflows/fuzzing.yml | 3 +++ .github/workflows/repo_sync.yml | 3 +++ 6 files changed, 18 insertions(+) diff --git a/.github/workflows/buf-lint.yml b/.github/workflows/buf-lint.yml index 37756adbfd..bb5d78e5e7 100644 --- a/.github/workflows/buf-lint.yml +++ b/.github/workflows/buf-lint.yml @@ -4,6 +4,9 @@ on: paths: - ".github/workflows/buf-lint.yml" - "**.proto" +permissions: + contents: read + jobs: buf: name: lint diff --git a/.github/workflows/buf.yml b/.github/workflows/buf.yml index 4fe8c86b3e..ee06981e0f 100644 --- a/.github/workflows/buf.yml +++ b/.github/workflows/buf.yml @@ -3,6 +3,9 @@ on: push: branches: - main +permissions: + contents: read + jobs: buf: name: lint and publish diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 01075f0c22..298c0701af 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "26 14 * * 1" +permissions: + contents: read + jobs: analyze: name: Analyze diff --git a/.github/workflows/funcbench.yml b/.github/workflows/funcbench.yml index 6583aa95b9..0826bcabe4 100644 --- a/.github/workflows/funcbench.yml +++ b/.github/workflows/funcbench.yml @@ -2,6 +2,9 @@ on: repository_dispatch: types: [funcbench_start] name: Funcbench Workflow +permissions: + contents: read + jobs: run_funcbench: name: Running funcbench diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml index 87c40d3105..d0751f2fb6 100644 --- a/.github/workflows/fuzzing.yml +++ b/.github/workflows/fuzzing.yml @@ -1,6 +1,9 @@ name: CIFuzz on: workflow_call: +permissions: + contents: read + jobs: Fuzzing: runs-on: ubuntu-latest diff --git a/.github/workflows/repo_sync.yml b/.github/workflows/repo_sync.yml index ca8197878c..392d801b0e 100644 --- a/.github/workflows/repo_sync.yml +++ b/.github/workflows/repo_sync.yml @@ -2,6 +2,9 @@ on: schedule: - cron: '44 17 * * *' +permissions: + contents: read + jobs: repo_sync: runs-on: ubuntu-latest From ecfaa48a17d4f0f8f35d3b7e19d4b6f969f02c47 Mon Sep 17 00:00:00 2001 From: Ashish Kurmi <100655670+boahc077@users.noreply.github.com> Date: Mon, 19 Sep 2022 01:17:46 -0700 Subject: [PATCH 2/2] Update .github/workflows/codeql-analysis.yml Co-authored-by: Christian Hoffmann Signed-off-by: Ashish Kurmi <100655670+boahc077@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 298c0701af..f0d3c060ea 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -8,6 +8,7 @@ on: permissions: contents: read + security-events: write jobs: analyze: