Merge pull request #10368 from nextcloud/defaultPermission

Setting token permissions to read-only follows the principle of least privilege.
2024-11-24 14:15:44 +03:00 · 2022-06-23 12:23:56 +02:00 · 2022-06-23 12:23:56 +02:00 · 573b976e63
commit 573b976e63
parent ce6014501e 92d3f08f6a
13 changed files with 50 additions and 13 deletions
--- a/.github/workflows/analysis.yml
+++ b/.github/workflows/analysis.yml
@ -6,6 +6,10 @@ on:
    push:
        branches: [ master, stable-* ]

+permissions:
+    pull-requests: write
+    contents: write
+
 jobs:
    analysis:
        runs-on: ubuntu-latest
--- a/.github/workflows/assembleFlavors.yml
+++ b/.github/workflows/assembleFlavors.yml
@ -4,6 +4,9 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
    flavor:
        runs-on: ubuntu-latest
--- a/.github/workflows/autoApproveDependabot.yml
+++ b/.github/workflows/autoApproveDependabot.yml
@ -3,6 +3,9 @@ on:
    pull_request_target:
        branches: [ master, stable-* ]

+permissions:
+    pull-requests: write
+
 jobs:
    auto-approve:
        runs-on: ubuntu-latest
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -4,6 +4,9 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
    check:
        runs-on: ubuntu-latest
--- a/.github/workflows/detectNewJavaFiles.yml
+++ b/.github/workflows/detectNewJavaFiles.yml
@ -4,6 +4,9 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
    detectNewJavaFiles:
        runs-on: ubuntu-latest
--- a/.github/workflows/detectSnapshot.yml
+++ b/.github/workflows/detectSnapshot.yml
@ -4,6 +4,9 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
    detectSnapshot:
        runs-on: ubuntu-latest
--- a/.github/workflows/gradle-wrapper-validation.yml
+++ b/.github/workflows/gradle-wrapper-validation.yml
@ -4,6 +4,9 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
    validation:
        name: "Validation"
--- a/.github/workflows/qa.yml
+++ b/.github/workflows/qa.yml
@ -4,6 +4,10 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+permissions:
+    pull-requests: write
+    contents: read
+
 jobs:
    qa:
        runs-on: ubuntu-latest
--- a/.github/workflows/screenShotTest.yml
+++ b/.github/workflows/screenShotTest.yml
@ -4,6 +4,10 @@ on:
    pull_request:
        branches: [ master, stable-* ]

+permissions:
+    contents: read
+    pull-requests: write
+
 jobs:
    screenshot:
        runs-on: macOS-latest
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -3,6 +3,9 @@ on:
    schedule:
        -   cron: '* */2 * * *'

+permissions:
+    pull-requests: write
+
 jobs:
    stale:
        runs-on: ubuntu-latest
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@ -6,6 +6,10 @@ on:
    push:
        branches: [ master, stable-* ]

+permissions:
+    contents: read
+    pull-requests: write
+
 jobs:
    test:
        runs-on: ubuntu-latest