chore: Set permissions for GitHub actions · pyrox.dev/nixpkgs@5deff95

lol

chore: Set permissions for GitHub actions

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: nathannaveen <42319948+nathannaveen@users.noreply.github.com>

nathannaveen 3 years ago 5deff958 5d9b21d7

+12

2 changed files

expand all

.github

workflows

no-channel.yml

update-terraform-providers.yml

.github/workflows/no-channel.yml

··· 6 6 - 'nixos-**' 7 7 - 'nixpkgs-**' 8 8 9 + permissions: 10 + contents: read 11 + 9 12 jobs: 10 13 fail: 14 + permissions: 15 + contents: none 11 16 name: "This PR is is targeting a channel branch" 12 17 runs-on: ubuntu-latest 13 18 steps:

.github/workflows/update-terraform-providers.yml

··· 5 5 - cron: "14 3 * * 1" 6 6 workflow_dispatch: 7 7 8 + permissions: 9 + contents: read 10 + 8 11 jobs: 9 12 tf-providers: 13 + permissions: 14 + contents: write # for peter-evans/create-pull-request to create branch 15 + issues: write # for peter-evans/create-or-update-comment to create or update comment 16 + pull-requests: write # for peter-evans/create-pull-request to create a PR 10 17 if: github.repository_owner == 'NixOS' && github.ref == 'refs/heads/master' # ensure workflow_dispatch only runs on master 11 18 runs-on: ubuntu-latest 12 19 steps: