Harden GitHub Workflows security (#8664)

2022-12-03 17:47:30 +02:00 · 2022-12-03 17:47:30 +02:00 · e2cea6121a
commit e2cea6121a
parent db2c0d4c91
4 changed files with 11 additions and 0 deletions
--- a/.github/workflows/automation.yml
+++ b/.github/workflows/automation.yml
@ -7,6 +7,7 @@ on:
  pull_request_target:
  issue_comment:

+permissions: {}
 jobs:
  label:
    name: Labeling
--- a/.github/workflows/commands.yml
+++ b/.github/workflows/commands.yml
@ -9,6 +9,7 @@ on:
      - labeled
      - synchronize

+permissions: {}
 jobs:
  rebase:
    name: Rebase
@ -34,6 +35,9 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.JF_BOT_TOKEN }}

  check-backport:
+    permissions:
+      contents: read
+
    name: Check Backport
    if: ${{ ( github.event.issue.pull_request && contains(github.event.comment.body, '@jellyfin-bot check backport') ) || github.event.label.name == 'stable backport' || contains(github.event.pull_request.labels.*.name, 'stable backport' ) }}
    runs-on: ubuntu-latest
--- a/.github/workflows/openapi.yml
+++ b/.github/workflows/openapi.yml
@ -5,6 +5,8 @@ on:
      - master
  pull_request_target:

+permissions: {}
+
 jobs:
  openapi-head:
    name: OpenAPI - HEAD
@ -55,6 +57,9 @@ jobs:
          path: tests/Jellyfin.Server.Integration.Tests/bin/Release/net6.0/openapi.json

  openapi-diff:
+    permissions:
+      pull-requests: write  #  to create or update comment (peter-evans/create-or-update-comment)
+
    name: OpenAPI - Difference
    if: ${{ github.event_name == 'pull_request_target' }}
    runs-on: ubuntu-latest
--- a/.github/workflows/repo-stale.yaml
+++ b/.github/workflows/repo-stale.yaml
@ -5,6 +5,7 @@ on:
    - cron: '30 1 * * *'
  workflow_dispatch:

+permissions: {}
 jobs:
  stale:
    runs-on: ubuntu-latest