Skip to content

Commit 3038c38

Browse files
johnbillionjohnbillion
committed
Tighten up the GitHub Actions workflow permissions.
1 parent 0916f36 commit 3038c38

9 files changed

Lines changed: 47 additions & 3 deletions

File tree

.github/workflows/cs.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,14 @@ concurrency:
1313
group: ${{ github.workflow }}-${{ github.ref }}
1414
cancel-in-progress: true
1515

16+
permissions: {}
17+
1618
jobs:
1719
actionlint: #----------------------------------------------------------------------
1820
name: 'Check GHA workflows'
1921
runs-on: ubuntu-latest
22+
permissions:
23+
contents: read
2024

2125
steps:
2226
- name: Checkout code
@@ -41,6 +45,8 @@ jobs:
4145
phpcs: #----------------------------------------------------------------------
4246
name: 'PHPCS'
4347
runs-on: ubuntu-latest
48+
permissions:
49+
contents: read
4450

4551
steps:
4652
- name: Checkout code

.github/workflows/label-merge-conflicts.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,14 @@ on:
1313
- synchronize
1414
- reopened
1515

16+
permissions: {}
17+
1618
jobs:
1719
check-prs:
1820
runs-on: ubuntu-latest
1921
if: github.repository_owner == 'WordPress'
22+
permissions:
23+
pull-requests: write
2024

2125
name: Check PRs for merge conflicts
2226

.github/workflows/lint.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,13 @@ concurrency:
1313
group: ${{ github.workflow }}-${{ github.ref }}
1414
cancel-in-progress: true
1515

16+
permissions: {}
17+
1618
jobs:
1719
lint: #----------------------------------------------------------------------
1820
runs-on: ubuntu-latest
21+
permissions:
22+
contents: read
1923

2024
strategy:
2125
matrix:

.github/workflows/quicktest.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,15 @@ concurrency:
1313
group: ${{ github.workflow }}-${{ github.ref }}
1414
cancel-in-progress: true
1515

16+
permissions: {}
17+
1618
jobs:
1719
#### QUICK TEST STAGE ####
1820
# Runs the tests against select PHP versions for pushes to arbitrary branches.
1921
quicktest:
2022
runs-on: ubuntu-latest
23+
permissions:
24+
contents: read
2125

2226
strategy:
2327
matrix:

.github/workflows/reusable-update-cacert.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,11 +3,17 @@ name: Certificates
33
on:
44
workflow_call:
55

6+
permissions: {}
7+
68
jobs:
79
certificate-check:
810
name: "Check for updated certificate bundle"
911

1012
runs-on: ubuntu-latest
13+
permissions:
14+
contents: write
15+
pull-requests: write
16+
1117
steps:
1218
- name: Determine branches to use
1319
id: branches

.github/workflows/test.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,14 @@ concurrency:
1414
group: ${{ github.workflow }}-${{ github.ref }}
1515
cancel-in-progress: true
1616

17+
permissions: {}
18+
1719
jobs:
1820
#### TEST STAGE ####
1921
test:
2022
runs-on: ubuntu-latest
23+
permissions:
24+
contents: read
2125

2226
strategy:
2327
# Keys:

.github/workflows/update-cacert-cron.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,14 @@ concurrency:
1111
group: ${{ github.workflow }}-${{ github.ref }}
1212
cancel-in-progress: true
1313

14+
permissions: {}
15+
1416
jobs:
1517
certificate-check:
1618
# Don't run the cron job on forks.
1719
if: ${{ github.event.repository.fork == false }}
20+
permissions:
21+
contents: write
22+
pull-requests: write
1823

1924
uses: ./.github/workflows/reusable-update-cacert.yml

.github/workflows/update-cacert.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,12 @@ concurrency:
2424
group: ${{ github.workflow }}-${{ github.ref }}
2525
cancel-in-progress: true
2626

27+
permissions: {}
28+
2729
jobs:
2830
certificate-check:
31+
permissions:
32+
contents: write
33+
pull-requests: write
34+
2935
uses: ./.github/workflows/reusable-update-cacert.yml

.github/workflows/update-website.yml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,9 +21,7 @@ concurrency:
2121
group: ${{ github.workflow }}-${{ github.ref }}
2222
cancel-in-progress: true
2323

24-
permissions:
25-
pull-requests: write
26-
contents: write
24+
permissions: {}
2725

2826
jobs:
2927
prepare:
@@ -32,6 +30,9 @@ jobs:
3230
if: github.repository == 'WordPress/Requests'
3331

3432
runs-on: ubuntu-latest
33+
permissions:
34+
contents: read
35+
3536
steps:
3637
# By default use the `stable` branch as the published docs should always
3738
# reflect the latest release.
@@ -91,6 +92,10 @@ jobs:
9192
if: github.repository == 'WordPress/Requests'
9293

9394
runs-on: ubuntu-latest
95+
permissions:
96+
contents: write
97+
pull-requests: write
98+
9499
steps:
95100
# PRs based on the "pull request" event trigger will contain changes from the
96101
# current `develop` branch, so should not be published as the website should

0 commit comments

Comments
 (0)