Skip to content

Commit 672036c

Browse files
Peter MatkovskiPeter Matkovski
authored andcommitted
ci: add least-privilege permissions to GitHub Actions workflows
Restrict default GITHUB_TOKEN scope per workflow. Write scopes granted only where jobs dispatch/cancel workflows, publish packages, or label issues/PRs. Refs: APPSEC-164
1 parent e96e8b9 commit 672036c

35 files changed

Lines changed: 118 additions & 0 deletions

.github/workflows/auto-approve.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ on:
66
env:
77
GITHUB_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
88

9+
permissions:
10+
pull-requests: write
11+
912
jobs:
1013
auto-approve:
1114
name: Auto Approve

.github/workflows/cherry-pick-auto.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,10 @@ on:
1111
env:
1212
GH_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
1313

14+
permissions:
15+
contents: read
16+
pull-requests: write
17+
1418
jobs:
1519
cherry-pick:
1620
if: ${{ github.event.pull_request.merged == true && (github.base_ref == 'main' || startsWith(github.base_ref, 'release-')) }}

.github/workflows/cherry-pick-label-check.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ on:
77
- main
88
- release-*
99

10+
permissions:
11+
contents: read
12+
pull-requests: read
13+
1014
jobs:
1115
pr-label-check:
1216
uses: apecloud/apecloud-cd/.github/workflows/pull-request-label-check.yml@v0.1.88

.github/workflows/cherry-pick-usage.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ on:
1111
env:
1212
GH_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
1313

14+
permissions:
15+
contents: read
16+
1417
jobs:
1518
cherry-pick-usage:
1619
uses: apecloud/apecloud-cd/.github/workflows/pull-request-cherry-pick-usage.yml@v0.1.88

.github/workflows/cherry-pick.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,10 @@ on:
66
env:
77
GH_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
88

9+
permissions:
10+
contents: read
11+
pull-requests: write
12+
913
jobs:
1014
cherry-pick:
1115
if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/cherry-pick')

.github/workflows/cicd-pull-request.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,11 @@ env:
1212
BASE_BRANCH: origin/main
1313
GO_VERSION: "1.24"
1414

15+
permissions:
16+
contents: read
17+
actions: write
18+
pull-requests: read
19+
1520
jobs:
1621
trigger-mode:
1722
name: trigger mode

.github/workflows/cicd-push.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,10 @@ env:
1212
BASE_BRANCH: origin/main
1313
GO_VERSION: "1.24"
1414

15+
permissions:
16+
contents: read
17+
actions: write
18+
1519
jobs:
1620
trigger-mode:
1721
runs-on: ubuntu-latest

.github/workflows/codeql.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,10 @@ env:
1010
BASE_BRANCH: origin/main
1111
GO_VERSION: "1.24"
1212

13+
permissions:
14+
contents: read
15+
security-events: write
16+
1317
jobs:
1418
trigger-mode:
1519
runs-on: ubuntu-latest

.github/workflows/create-branch.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@ name: Create Release Branch Message
33
on:
44
create:
55

6+
permissions:
7+
contents: write
8+
69
run-name: Create Release Branch
710

811
jobs:

.github/workflows/e2e-fault.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,9 @@ run-name: fault:${{ inputs.PRE_VERSION }} to ${{ inputs.VERSION }} ${{ inputs.CL
5656
env:
5757
GH_TOKEN: ${{ github.token }}
5858

59+
permissions:
60+
contents: read
61+
5962
jobs:
6063
check:
6164
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)