ci: limit job permissions from default (#9874)

Signed-off-by: Alex <aleksandrosansan@gmail.com>
2022-09-26 21:41:24 +02:00 · 2022-09-26 21:41:24 +02:00 · f44ca01fcf
parent 19a1454c2d
commit f44ca01fcf
3 changed files with 14 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -22,6 +22,9 @@ env:
  DESTDIR: "./bin"
  DOCKER_CLI_VERSION: "20.10.17"

+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
  prepare:
    runs-on: ubuntu-latest
@ -182,6 +185,9 @@ jobs:
          make e2e-compose-standalone

  release:
+    permissions:
+      contents: write # to create a release (ncipollo/release-action)
+
    runs-on: ubuntu-latest
    needs:
      - binary
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@ -4,8 +4,13 @@ on:
  release:
    types: [published]

+permissions: {}
 jobs:
  open-pr:
+    permissions:
+      contents: write # to create branch (peter-evans/create-pull-request)
+      pull-requests: write # to create a PR (peter-evans/create-pull-request)
+
    runs-on: ubuntu-latest
    steps:
      -
--- a/.github/workflows/merge.yml
+++ b/.github/workflows/merge.yml
@ -12,6 +12,9 @@ on:
      - 'v*'
  workflow_dispatch:

+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
  e2e:
    name: Build and test