From 28538fe3b1f919da7a17c87f3cec816b7ab1c9f5 Mon Sep 17 00:00:00 2001 From: epszaw Date: Thu, 28 Aug 2025 14:41:49 +0200 Subject: [PATCH 1/4] add workflow-wide permissions --- .github/workflows/labeler.yml | 5 +++++ .github/workflows/labels-verify.yml | 5 +++++ .github/workflows/publish.yml | 5 +++++ .github/workflows/release.yml | 5 +++++ 4 files changed, 20 insertions(+) diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index e0d99fc81..f49976b59 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -3,9 +3,14 @@ name: "Set theme labels" on: - pull_request_target +permissions: + contents: read + jobs: triage: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: actions/labeler@v4 with: diff --git a/.github/workflows/labels-verify.yml b/.github/workflows/labels-verify.yml index 0c18ecb77..a913a0f13 100644 --- a/.github/workflows/labels-verify.yml +++ b/.github/workflows/labels-verify.yml @@ -4,9 +4,14 @@ on: pull_request_target: types: [opened, labeled, unlabeled, synchronize] +permissions: + contents: read + jobs: triage: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: baev/action-label-verify@main with: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 28af62d51..1be277408 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,9 +4,14 @@ on: release: types: [ published ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@v4.1.1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1f8821c29..4540e572f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,9 +11,14 @@ on: description: "The next version in . format WITHOUT SNAPSHOT SUFFIX" required: true +permissions: + contents: read + jobs: triage: runs-on: ubuntu-latest + permissions: + contents: write steps: - name: "Check release version" run: | From ab30cf8c31e9ab227782003e9c382c5ca5920edb Mon Sep 17 00:00:00 2001 From: epszaw Date: Wed, 17 Sep 2025 10:22:08 +0200 Subject: [PATCH 2/4] Update .github/workflows/labels-verify.yml Co-authored-by: Maksim Stepanov <17935127+delatrie@users.noreply.github.com> --- .github/workflows/labels-verify.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/labels-verify.yml b/.github/workflows/labels-verify.yml index a913a0f13..40095417d 100644 --- a/.github/workflows/labels-verify.yml +++ b/.github/workflows/labels-verify.yml @@ -11,7 +11,7 @@ jobs: triage: runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: read steps: - uses: baev/action-label-verify@main with: From e26fc8fbb7271ed37ef6d7f9b1375244e209791a Mon Sep 17 00:00:00 2001 From: epszaw Date: Wed, 17 Sep 2025 10:22:17 +0200 Subject: [PATCH 3/4] Update .github/workflows/labels-verify.yml Co-authored-by: Maksim Stepanov <17935127+delatrie@users.noreply.github.com> --- .github/workflows/labels-verify.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/labels-verify.yml b/.github/workflows/labels-verify.yml index 40095417d..7315a905a 100644 --- a/.github/workflows/labels-verify.yml +++ b/.github/workflows/labels-verify.yml @@ -5,7 +5,7 @@ on: types: [opened, labeled, unlabeled, synchronize] permissions: - contents: read + contents: none jobs: triage: From 916b2addd99535199f22598aee700c56423753f6 Mon Sep 17 00:00:00 2001 From: epszaw Date: Wed, 17 Sep 2025 10:22:58 +0200 Subject: [PATCH 4/4] Remove write permissions for contents in publish.yml Removed write permissions for contents in the build job. --- .github/workflows/publish.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 1be277408..d34e4ba62 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -10,8 +10,6 @@ permissions: jobs: build: runs-on: ubuntu-latest - permissions: - contents: write steps: - uses: actions/checkout@v4.1.1