From 603ac9a70c1d7d89674b2dc7e9c053a792485cfb Mon Sep 17 00:00:00 2001 From: Alex Date: Mon, 19 Sep 2022 23:43:37 +0200 Subject: [PATCH 1/2] build: harden ci.yaml permissions Signed-off-by: Alex --- .github/workflows/ci.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d78148c8fb6f..87d540832dac 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -30,6 +30,9 @@ env: # `java` (we could use the `_JAVA_OPTIONS` environment variable, but this prints # text on stderr and so can break tests which check the output of a program). +permissions: + contents: read # to fetch code (actions/checkout) + jobs: test_non_bootstrapped: runs-on: [self-hosted, Linux] @@ -528,6 +531,9 @@ jobs: ./project/scripts/sbtPublish ";project scala3-bootstrapped ;publishSigned ;sonatypeBundleRelease" nightly_documentation: + permissions: + contents: write # to push pages branch (peaceiris/actions-gh-pages) + runs-on: [self-hosted, Linux] container: image: lampepfl/dotty:2021-03-22 @@ -706,6 +712,10 @@ jobs: open_issue_on_failure: + permissions: + contents: read # to fetch code (actions/checkout) + issues: write # to create new issues (jasonetco/create-an-issue) + runs-on: [self-hosted, Linux] container: image: lampepfl/dotty:2021-03-22 From 69d44f7f3dcc3bf55804712cf668e581b855d27f Mon Sep 17 00:00:00 2001 From: Alex Date: Mon, 19 Sep 2022 23:44:59 +0200 Subject: [PATCH 2/2] build: harden dependency-graph.yml permissions Signed-off-by: Alex --- .github/workflows/dependency-graph.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/dependency-graph.yml b/.github/workflows/dependency-graph.yml index f8facc0453ca..db0525781dd0 100644 --- a/.github/workflows/dependency-graph.yml +++ b/.github/workflows/dependency-graph.yml @@ -3,6 +3,8 @@ on: push: branches: - main # default branch of the project +permissions: + contents: read # to fetch code (actions/checkout) jobs: dependency-graph: name: Update Dependency Graph