Skip to content

Commit 364deea

Browse files
varunsh-coderdanielleadams
varunsh-coder
authored and
danielleadams
committed
build: add GitHub token permissions for workflows
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io> PR-URL: #43743 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
1 parent 1deb6b7 commit 364deea

24 files changed

+93
-0
lines changed

.github/workflows/authors.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ on:
66

77
workflow_dispatch:
88

9+
permissions:
10+
contents: read
11+
912
jobs:
1013
authors_update:
1114
if: github.repository == 'nodejs/node'

.github/workflows/auto-start-ci.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,8 +13,13 @@ concurrency: ${{ github.workflow }}
1313
env:
1414
NODE_VERSION: lts/*
1515

16+
permissions:
17+
contents: read
18+
1619
jobs:
1720
get-prs-for-ci:
21+
permissions:
22+
pull-requests: read
1823
if: github.repository == 'nodejs/node'
1924
runs-on: ubuntu-latest
2025
outputs:
@@ -32,6 +37,9 @@ jobs:
3237
env:
3338
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3439
start-ci:
40+
permissions:
41+
contents: read
42+
pull-requests: write
3543
needs: get-prs-for-ci
3644
if: needs.get-prs-for-ci.outputs.numbers != ''
3745
runs-on: ubuntu-latest

.github/workflows/build-tarball.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,9 @@ env:
3131
PYTHON_VERSION: '3.10'
3232
FLAKY_TESTS: dontcare
3333

34+
permissions:
35+
contents: read
36+
3437
jobs:
3538
build-tarball:
3639
if: github.event.pull_request.draft == false

.github/workflows/build-windows.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,9 @@ env:
2626
PYTHON_VERSION: '3.10'
2727
FLAKY_TESTS: dontcare
2828

29+
permissions:
30+
contents: read
31+
2932
jobs:
3033
build-windows:
3134
if: github.event.pull_request.draft == false

.github/workflows/close-stale-feature-requests.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,8 +28,14 @@ env:
2828
[feature request management document](https://github.com/nodejs/node/blob/HEAD/doc/contributing/feature-request-management.md).
2929
# yamllint enable
3030

31+
permissions:
32+
contents: read
33+
3134
jobs:
3235
stale:
36+
permissions:
37+
issues: write # for actions/stale to close stale issues
38+
pull-requests: write # for actions/stale to close stale PRs
3339
if: github.repository == 'nodejs/node'
3440
runs-on: ubuntu-latest
3541
steps:

.github/workflows/close-stalled.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,14 @@ env:
99
is still relevant, or to ping the collaborator who labelled it stalled if
1010
you have any questions.
1111
12+
permissions:
13+
contents: read
14+
1215
jobs:
1316
stale:
17+
permissions:
18+
issues: write # for actions/stale to close stale issues
19+
pull-requests: write # for actions/stale to close stale PRs
1420
if: github.repository == 'nodejs/node'
1521
runs-on: ubuntu-latest
1622
steps:

.github/workflows/comment-labeled.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,14 @@ env:
1111
If it should remain open, please leave a comment explaining why it should remain open.
1212
FAST_TRACK_MESSAGE: Fast-track has been requested by @${{ github.actor }}. Please 👍 to approve.
1313

14+
permissions:
15+
contents: read
16+
1417
jobs:
1518
stale-comment:
19+
permissions:
20+
issues: write
21+
pull-requests: write
1622
if: github.repository == 'nodejs/node' && github.event.label.name == 'stalled'
1723
runs-on: ubuntu-latest
1824
steps:
@@ -23,6 +29,8 @@ jobs:
2329
run: gh issue comment "$NUMBER" --repo ${{ github.repository }} --body "$STALE_MESSAGE"
2430

2531
fast-track:
32+
permissions:
33+
pull-requests: write
2634
if: github.repository == 'nodejs/node' && github.event_name == 'pull_request_target' && github.event.label.name == 'fast-track'
2735
runs-on: ubuntu-latest
2836
steps:

.github/workflows/commit-lint.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ on: [pull_request]
55
env:
66
NODE_VERSION: lts/*
77

8+
permissions:
9+
contents: read
10+
811
jobs:
912
lint-commit-message:
1013
runs-on: ubuntu-latest

.github/workflows/commit-queue.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,13 @@ concurrency: ${{ github.workflow }}
1818
env:
1919
NODE_VERSION: lts/*
2020

21+
permissions:
22+
contents: read
23+
2124
jobs:
2225
get_mergeable_prs:
26+
permissions:
27+
pull-requests: read
2328
if: github.repository == 'nodejs/node'
2429
runs-on: ubuntu-latest
2530
outputs:

.github/workflows/coverage-linux.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,9 @@ env:
2929
PYTHON_VERSION: '3.10'
3030
FLAKY_TESTS: dontcare
3131

32+
permissions:
33+
contents: read
34+
3235
jobs:
3336
coverage-linux:
3437
if: github.event.pull_request.draft == false

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy