From 89b756d6767b4886a39f6786d7b329d6c776b46e Mon Sep 17 00:00:00 2001 From: anakinxc <103552181+anakinxc@users.noreply.github.com> Date: Thu, 11 Jan 2024 13:53:17 +0800 Subject: [PATCH] Limit workflow permissions (#200) --- .github/workflows/buildifier.yml | 2 ++ .github/workflows/cla.yml | 2 ++ .github/workflows/clang-format-linter.yml | 2 ++ .github/workflows/stale.yml | 3 +++ .github/workflows/yaml-lint.yml | 2 ++ 5 files changed, 11 insertions(+) diff --git a/.github/workflows/buildifier.yml b/.github/workflows/buildifier.yml index 373141f..fb34efe 100644 --- a/.github/workflows/buildifier.yml +++ b/.github/workflows/buildifier.yml @@ -7,6 +7,8 @@ on: pull_request: branches: - main +permissions: + contents: read jobs: bazel-formatting-check: uses: secretflow/.github/.github/workflows/bazel-linter.yml@main diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 926e495..6fabd8c 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -5,6 +5,8 @@ on: types: [created] pull_request_target: types: [opened, closed, synchronize] +permissions: + contents: write jobs: CLAssistant: uses: secretflow/.github/.github/workflows/cla.yml@main diff --git a/.github/workflows/clang-format-linter.yml b/.github/workflows/clang-format-linter.yml index d49a73e..d5efb2e 100644 --- a/.github/workflows/clang-format-linter.yml +++ b/.github/workflows/clang-format-linter.yml @@ -7,6 +7,8 @@ on: pull_request: branches: - main +permissions: + contents: read jobs: run-clang-format: uses: secretflow/.github/.github/workflows/clang-format.yml@main diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index beef7e2..9216b2b 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,6 +4,9 @@ on: workflow_dispatch: schedule: - cron: 40 9 * * * +permissions: + pull-requests: write + issues: write jobs: stale: uses: secretflow/.github/.github/workflows/stale.yml@main diff --git a/.github/workflows/yaml-lint.yml b/.github/workflows/yaml-lint.yml index 881fcb6..8f5e07f 100644 --- a/.github/workflows/yaml-lint.yml +++ b/.github/workflows/yaml-lint.yml @@ -7,6 +7,8 @@ on: pull_request: branches: - main +permissions: + contents: read jobs: yaml-linter: uses: secretflow/.github/.github/workflows/yaml-linter.yml@main