Skip to content

Commit

Permalink
security: add permissions block to workflows (#80)
Browse files Browse the repository at this point in the history
## Details

⚠️ This PR was created by an automated tool. Please review the changes
carefully. ⚠️

We want to set the default permissions for workflows to read-only for
contents.
This is a security measure to prevent accidental changes to the
repository.

This change adds a top-level permissions block to all workflows in the
.github/workflows directory.
```yaml
permissions:
  contents: read
```

In some cases workflows might need more permissions than just `contents:
read`.
Please checkout this branch and add the necessary permissions to the
workflows.

If your workflow uses a Personal Access Token (PAT), we can still add
the permissions block,
   but it will not have any effect.

Merging this PR as is might cause workflows that need more permissions
to fail.

If there are any questions, please reach out to the
@elastic/observablt-ci
  • Loading branch information
reakaleek authored Mar 12, 2024
1 parent 4554e51 commit b3b1fa7
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/add-issues-to-ingest-board.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ env:
AREA_FIELD_ID: 'PVTSSF_lADOAGc3Zs4AEzn4zgEgZSo'
ELASTIC_AGENT_OPTION_ID: 'c1e1a30a'

permissions:
contents: read

jobs:
add_to_ingest_project:
runs-on: ubuntu-latest
Expand Down

0 comments on commit b3b1fa7

Please sign in to comment.