Merge pull request #10368 from nextcloud/defaultPermission

Setting token permissions to read-only follows the principle of least privilege.
2024-11-24 06:05:42 +03:00 · 2022-06-23 12:23:56 +02:00 · 2022-06-23 12:23:56 +02:00 · 573b976e63
commit 573b976e63
parent ce6014501e 92d3f08f6a
13 changed files with 50 additions and 13 deletions
--- a/.github/workflows/analysis.yml
+++ b/.github/workflows/analysis.yml
@ -6,6 +6,10 @@ on:
    push:
        branches: [ master, stable-* ]

+permissions:
+    pull-requests: write
+    contents: write
+
 jobs:
    analysis:
        runs-on: ubuntu-latest
--- a/.github/workflows/assembleFlavors.yml
+++ b/.github/workflows/assembleFlavors.yml
@ -4,6 +4,9 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
    flavor:
        runs-on: ubuntu-latest
--- a/.github/workflows/autoApproveDependabot.yml
+++ b/.github/workflows/autoApproveDependabot.yml
@ -3,6 +3,9 @@ on:
    pull_request_target:
        branches: [ master, stable-* ]

+permissions:
+    pull-requests: write
+
 jobs:
    auto-approve:
        runs-on: ubuntu-latest
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -4,6 +4,9 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
    check:
        runs-on: ubuntu-latest
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -27,7 +27,7 @@ jobs:
      uses: github/codeql-action/init@v2
      with:
        languages: ${{ matrix.language }}
-    - name: Set up JDK 
+    - name: Set up JDK
      uses: actions/setup-java@v2
      with:
        distribution: "temurin"
--- a/.github/workflows/command-rebase.yml
+++ b/.github/workflows/command-rebase.yml
@ -6,11 +6,11 @@
 name: Rebase command

 on:
-  issue_comment:
-    types: created
+    issue_comment:
+        types: created

-permissions:	
-  contents: read	
+permissions:
+  contents: read

 jobs:
  rebase:
@ -18,11 +18,11 @@ jobs:
    permissions:
      contents: none

-    # On pull requests and if the comment starts with `/rebase`
-    if: github.event.issue.pull_request != '' && startsWith(github.event.comment.body, '/rebase')
+        # On pull requests and if the comment starts with `/rebase`
+        if: github.event.issue.pull_request != '' && startsWith(github.event.comment.body, '/rebase')

-    steps:
-      - name: Add reaction on start
+        steps:
+            -   name: Add reaction on start
        uses: peter-evans/create-or-update-comment@v2
        with:
          token: ${{ secrets.COMMAND_BOT_PAT }}
--- a/.github/workflows/detectNewJavaFiles.yml
+++ b/.github/workflows/detectNewJavaFiles.yml
@ -4,12 +4,15 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
    detectNewJavaFiles:
        runs-on: ubuntu-latest

        steps:
-               - uses: trilom/file-changes-action@v1.2.4
-               - uses: actions/checkout@v2
-               - name: Detect new java files
-                 run: scripts/analysis/detectNewJavaFiles.sh
+            -   uses: trilom/file-changes-action@v1.2.4
+            -   uses: actions/checkout@v2
+            -   name: Detect new java files
+                run: scripts/analysis/detectNewJavaFiles.sh
--- a/.github/workflows/detectSnapshot.yml
+++ b/.github/workflows/detectSnapshot.yml
@ -4,6 +4,9 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
    detectSnapshot:
        runs-on: ubuntu-latest
--- a/.github/workflows/gradle-wrapper-validation.yml
+++ b/.github/workflows/gradle-wrapper-validation.yml
@ -4,6 +4,9 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
    validation:
        name: "Validation"
--- a/.github/workflows/qa.yml
+++ b/.github/workflows/qa.yml
@ -4,6 +4,10 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+permissions:
+    pull-requests: write
+    contents: read
+
 jobs:
    qa:
        runs-on: ubuntu-latest
--- a/.github/workflows/screenShotTest.yml
+++ b/.github/workflows/screenShotTest.yml
@ -4,6 +4,10 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+permissions:
+    contents: read
+    pull-requests: write
+
 jobs:
    screenshot:
        runs-on: macOS-latest
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -3,6 +3,9 @@ on:
    schedule:
        -   cron: '* */2 * * *'

+permissions:
+    pull-requests: write
+
 jobs:
    stale:
        runs-on: ubuntu-latest
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@ -6,6 +6,10 @@ on:
    push:
        branches: [ master, stable-* ]

+permissions:
+    contents: read
+    pull-requests: write
+
 jobs:
    test:
        runs-on: ubuntu-latest