ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-03-06 03:55:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden workflow permissions with deny-all top-level and least-privilege job scopes (#482)

Browse Source
This commit is contained in:
Copilot
2026-03-06 02:44:56 +02:00
committed by GitHub
parent 455267f892
commit ae4ad9ec80
12 changed files with 32 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/action-security.yml vendored
View File

@@ -17,10 +17,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: permissions: {}
contents: read
actions: read
pull-requests: read
jobs: jobs:
analyze: analyze:
@@ -29,6 +26,9 @@ jobs:
timeout-minutes: 30 timeout-minutes: 30
permissions: permissions:
contents: read
actions: read
pull-requests: read
security-events: write security-events: write
statuses: write statuses: write
issues: write issues: write

7
.github/workflows/build-testing-image.yml vendored
View File

@@ -23,15 +23,16 @@ on:
default: 'latest' default: 'latest'
type: string type: string
permissions: permissions: {}
contents: read
packages: write
jobs: jobs:
build-and-push: build-and-push:
name: Build and Push Testing Image name: Build and Push Testing Image
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 20 timeout-minutes: 20
permissions:
contents: read
packages: write
steps: steps:
- name: Checkout repository - name: Checkout repository

7
.github/workflows/codeql-new.yml vendored
View File

@@ -13,17 +13,16 @@ on:
- cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
merge_group: merge_group:
permissions: permissions: {}
actions: read
contents: read
jobs: jobs:
analyze: analyze:
name: Analyze (${{ matrix.language }}) name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
security-events: write actions: read
contents: read contents: read
security-events: write
strategy: strategy:
fail-fast: false fail-fast: false

5
.github/workflows/dependency-review.yml vendored
View File

@@ -4,12 +4,13 @@ name: 'Dependency Review'
on: on:
- pull_request - pull_request
permissions: permissions: {}
contents: read
jobs: jobs:
dependency-review: dependency-review:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
steps: steps:
- name: 'Checkout Repository' - name: 'Checkout Repository'
uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta

3
.github/workflows/issue-stats.yml vendored
View File

@@ -5,8 +5,7 @@ on:
schedule: schedule:
- cron: '3 2 1 * *' - cron: '3 2 1 * *'
permissions: permissions: {}
contents: read
jobs: jobs:
build: build:

2
.github/workflows/new-release.yml vendored
View File

@@ -6,7 +6,7 @@ on:
schedule: schedule:
- cron: '0 21 * * *' # 00:00 at Europe/Helsinki - cron: '0 21 * * *' # 00:00 at Europe/Helsinki
permissions: read-all permissions: {}
jobs: jobs:
new-daily-release: new-daily-release:

4
.github/workflows/pr-lint.yml vendored
View File

@@ -37,9 +37,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: permissions: {}
contents: read
packages: read # Required for private dependencies
jobs: jobs:
megalinter: megalinter:

3
.github/workflows/release.yml vendored
View File

@@ -7,8 +7,7 @@ on:
tags: tags:
- 'v*' - 'v*'
permissions: permissions: {}
contents: read
jobs: jobs:
release: release:

11
.github/workflows/security-suite.yml vendored
View File

@@ -18,11 +18,7 @@ on:
- '**/*.yaml' - '**/*.yaml'
- '.github/workflows/**' - '.github/workflows/**'
permissions: permissions: {}
contents: read
pull-requests: write
issues: write
actions: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }} group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -32,6 +28,11 @@ jobs:
security-analysis: security-analysis:
name: Security Analysis name: Security Analysis
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
issues: write
actions: read
steps: steps:
- name: Checkout PR - name: Checkout PR

5
.github/workflows/stale.yml vendored
View File

@@ -8,10 +8,7 @@ on:
workflow_call: workflow_call:
workflow_dispatch: workflow_dispatch:
permissions: permissions: {}
contents: read
packages: read
statuses: read
jobs: jobs:
stale: stale:

3
.github/workflows/sync-labels.yml vendored
View File

@@ -22,7 +22,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: read-all permissions: {}
jobs: jobs:
labels: labels:
@@ -31,6 +31,7 @@ jobs:
timeout-minutes: 10 timeout-minutes: 10
permissions: permissions:
contents: read
issues: write issues: write
steps: steps:

9
.github/workflows/version-maintenance.yml vendored
View File

@@ -12,15 +12,16 @@ on:
required: false required: false
type: string type: string
permissions: permissions: {}
contents: write
pull-requests: write
issues: write
jobs: jobs:
check-and-update: check-and-update:
name: Check Version References name: Check Version References
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
issues: write
steps: steps:
- name: Checkout Repository - name: Checkout Repository