From b1f77d975ef72c6bfadafed43c473540b9ffd0e3 Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Fri, 8 Apr 2022 23:55:43 -0500 Subject: [PATCH] Set permissions for GitHub actions (#1168) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/go.yml | 3 +++ .github/workflows/test-yq.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index f38b3647..f50ae76a 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -1,5 +1,8 @@ name: Build on: [push, pull_request] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/test-yq.yml b/.github/workflows/test-yq.yml index 01a3306d..7c019700 100644 --- a/.github/workflows/test-yq.yml +++ b/.github/workflows/test-yq.yml @@ -1,5 +1,8 @@ name: Test Yq Action on: [push] +permissions: + contents: read + jobs: build: