From bcda798f893edda8d8c59c5d0a433547c4fa7936 Mon Sep 17 00:00:00 2001 From: Timeless0911 <1604889533@qq.com> Date: Tue, 19 May 2026 20:06:17 +0800 Subject: [PATCH] chore: harden GitHub Actions permissions --- .github/workflows/benchmark.yml | 8 +++++--- .github/workflows/ecosystem-ci.yml | 19 ++++++++++++------- .github/workflows/lint.yml | 11 ++++++----- .github/workflows/preview.yml | 11 ++++++----- .github/workflows/release.yml | 14 ++++++++------ .github/workflows/reusable-test.yml | 11 ++++++----- .github/workflows/test.yml | 11 +++++++++-- 7 files changed, 52 insertions(+), 33 deletions(-) diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 84ab3ed74..1d0c676f1 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -10,6 +10,8 @@ on: required: true default: 'main' +permissions: {} + jobs: benchmark: runs-on: ubuntu-24.04 @@ -23,7 +25,7 @@ jobs: run: echo "TODO:\ Support benchmark in Rstest, this job is only a placeholder for the time being." # - name: Checkout - # uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + # uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # with: # fetch-depth: 10 # ref: ${{ inputs.ref || 'main' }} @@ -34,7 +36,7 @@ jobs: # corepack enable # - name: Setup Node.js ${{ matrix.node-version }} - # uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + # uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 # with: # node-version: ${{ matrix.node-version }} # cache: 'pnpm' @@ -44,7 +46,7 @@ jobs: # # only run benchmark in Ubuntu # - name: Benchmarks (Rstest) - # uses: CodSpeedHQ/action@0010eb0ca6e89b80c88e8edaaa07cfe5f3e6664d # v3 + # uses: CodSpeedHQ/action@0010eb0ca6e89b80c88e8edaaa07cfe5f3e6664d # v3.5.0 # with: # run: pnpm run test:benchmark # # token retrieved from the CodSpeed app at the previous step diff --git a/.github/workflows/ecosystem-ci.yml b/.github/workflows/ecosystem-ci.yml index 340713a44..444ef8d48 100644 --- a/.github/workflows/ecosystem-ci.yml +++ b/.github/workflows/ecosystem-ci.yml @@ -11,20 +11,19 @@ on: required: true default: 'main' -permissions: - contents: write - issues: write - pull-requests: write +permissions: {} jobs: changes: runs-on: ubuntu-latest if: github.repository == 'web-infra-dev/rslib' && github.event_name != 'workflow_dispatch' + permissions: + contents: read outputs: changed: ${{ steps.changes.outputs.changed }} steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 @@ -41,9 +40,13 @@ jobs: name: Dispatch ecosystem CI runs-on: ubuntu-latest if: github.repository == 'web-infra-dev/rslib' && github.event_name == 'workflow_dispatch' + permissions: + contents: read + issues: write + pull-requests: read steps: - name: Trigger Ecosystem CI - uses: rstackjs/rstack-ecosystem-ci/.github/actions/ecosystem_ci_dispatch@4949c44494d7fd3503abd791f11534c798a2a1d0 # main + uses: rstackjs/rstack-ecosystem-ci/.github/actions/ecosystem_ci_dispatch@ca8d345a115158ea5ab3807378357f2162be7467 # main with: github-token: ${{ secrets.REPO_RSLIB_ECO_CI_GITHUB_TOKEN }} ecosystem-owner: web-infra-dev @@ -56,9 +59,11 @@ jobs: needs: changes runs-on: ubuntu-latest if: github.repository == 'web-infra-dev/rslib' && github.event_name != 'workflow_dispatch' && needs.changes.outputs.changed == 'true' + permissions: + contents: read steps: - name: Trigger Ecosystem CI - uses: rstackjs/rstack-ecosystem-ci/.github/actions/ecosystem_ci_per_commit@4949c44494d7fd3503abd791f11534c798a2a1d0 # main + uses: rstackjs/rstack-ecosystem-ci/.github/actions/ecosystem_ci_per_commit@ca8d345a115158ea5ab3807378357f2162be7467 # main with: github-token: ${{ secrets.REPO_RSLIB_ECO_CI_GITHUB_TOKEN }} ecosystem-owner: web-infra-dev diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index ca5e945bc..0b467da71 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,16 +9,17 @@ on: workflow_dispatch: -permissions: - contents: read +permissions: {} jobs: lint: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 @@ -28,10 +29,10 @@ jobs: corepack enable - name: Setup Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 - cache: 'pnpm' + package-manager-cache: false - name: Install Dependencies run: pnpm install diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml index e06771772..00bfa82fe 100644 --- a/.github/workflows/preview.yml +++ b/.github/workflows/preview.yml @@ -11,17 +11,18 @@ on: required: true default: 'main' -permissions: - contents: read +permissions: {} jobs: preview: if: github.repository == 'web-infra-dev/rslib' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 ref: ${{ github.event.inputs.branch }} @@ -41,10 +42,10 @@ jobs: - name: Setup Node.js if: steps.changes.outputs.changed == 'true' - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 - cache: 'pnpm' + package-manager-cache: false - name: Install Dependencies if: steps.changes.outputs.changed == 'true' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 55ba0a912..73dbd9d94 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,9 +19,7 @@ on: required: true default: 'main' -permissions: - # Provenance generation in GitHub Actions requires "write" access to the "id-token" - id-token: write +permissions: {} jobs: release: @@ -29,9 +27,13 @@ jobs: if: github.repository == 'web-infra-dev/rslib' && github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest environment: npm + permissions: + contents: read + # Provenance generation in GitHub Actions requires "write" access to the "id-token" + id-token: write steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 ref: ${{ github.event.inputs.branch }} @@ -42,10 +44,10 @@ jobs: corepack enable - name: Setup Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 - cache: 'pnpm' + package-manager-cache: false # Update npm to the latest version to enable OIDC - name: Update npm diff --git a/.github/workflows/reusable-test.yml b/.github/workflows/reusable-test.yml index bfaf5f353..ecb65700e 100644 --- a/.github/workflows/reusable-test.yml +++ b/.github/workflows/reusable-test.yml @@ -13,15 +13,16 @@ on: required: true type: string -permissions: - contents: read +permissions: {} jobs: test: runs-on: ${{ inputs.runner }} + permissions: + contents: read steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 @@ -49,10 +50,10 @@ jobs: - name: Setup Node.js ${{ inputs.node-version }} if: ${{ steps.changes.outputs.changed == 'true' }} - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ inputs.node-version }} - cache: 'pnpm' + package-manager-cache: false - name: Install Dependencies if: ${{ steps.changes.outputs.changed == 'true' }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b6c2dd93f..92ab08f51 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,8 +9,7 @@ on: workflow_dispatch: -permissions: - contents: read +permissions: {} jobs: ut: @@ -19,6 +18,8 @@ jobs: runner: [ubuntu-latest, windows-latest] node-version: [24] uses: ./.github/workflows/reusable-test.yml + permissions: + contents: read with: runner: ${{ matrix.runner }} node-version: ${{ matrix.node-version }} @@ -31,6 +32,8 @@ jobs: node-version: [24] uses: ./.github/workflows/reusable-test.yml + permissions: + contents: read with: runner: ${{ matrix.runner }} node-version: ${{ matrix.node-version }} @@ -43,6 +46,8 @@ jobs: node-version: ['25'] uses: ./.github/workflows/reusable-test.yml + permissions: + contents: read with: runner: ${{ matrix.runner }} node-version: ${{ matrix.node-version }} @@ -54,6 +59,8 @@ jobs: runner: [ubuntu-latest, windows-latest] node-version: [24] uses: ./.github/workflows/reusable-test.yml + permissions: + contents: read with: runner: ${{ matrix.runner }} node-version: ${{ matrix.node-version }}