mirror of
https://github.com/dorny/paths-filter.git
synced 2026-06-16 16:38:35 +00:00
Add minimal permissions blocks to GitHub Actions workflows
Address CodeQL security findings by explicitly declaring least-privilege permissions for all workflow jobs. Jobs that only need repository checkout get contents: read; jobs that also use the GitHub API for PR file lists get both contents: read and pull-requests: read.
This commit is contained in:
Jim Kane
parent
540ff54272
commit
899aeb93af
4
.github/workflows/build.yml
vendored
4
.github/workflows/build.yml
vendored
@ -9,6 +9,8 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/setup-node@v6
|
||||
@ -21,6 +23,8 @@ jobs:
|
||||
|
||||
self-test:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: ./
|
||||
|
||||
12
.github/workflows/pull-request-verification.yml
vendored
12
.github/workflows/pull-request-verification.yml
vendored
@ -9,6 +9,8 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/setup-node@v6
|
||||
@ -22,6 +24,7 @@ jobs:
|
||||
test-inline:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: read
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
@ -43,6 +46,7 @@ jobs:
|
||||
test-external:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: read
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
@ -56,6 +60,8 @@ jobs:
|
||||
|
||||
test-without-token:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: ./
|
||||
@ -69,6 +75,8 @@ jobs:
|
||||
|
||||
test-wd-without-token:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
with:
|
||||
@ -85,6 +93,8 @@ jobs:
|
||||
|
||||
test-local-changes:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- run: echo "NEW FILE" > local
|
||||
@ -105,6 +115,8 @@ jobs:
|
||||
|
||||
test-change-type:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- name: configure GIT user
|
||||
|
||||
Loading…
Reference in New Issue
Block a user