fix: set github actions permissions (#22)

.github/workflows/api-e2e.yml

@@ -13,6 +13,11 @@ jobs:
     name: Run E2E tests
     timeout-minutes: 10
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: read
+      checks: write
+      pull-requests: write
     defaults:
       run:
         working-directory: ./packages/api

.github/workflows/app-deploy-feature-branch.yml

@@ -5,6 +5,10 @@ jobs:
   build:
     name: Build and Test App
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      checks: write
     defaults:
       run:
         working-directory: ./packages/app
@@ -65,6 +69,8 @@ jobs:
     name: Feature Env, Mainnet+
     uses: ./.github/workflows/app-e2e.yml
     secrets: inherit
+    permissions:
+      contents: read
     with:
       targetUrl: ${{ needs.build.outputs.dappUrl }}
       default_network_value_for_e2e: "/?network=mainnet"

.github/workflows/app-deploy-preview.yml

@@ -11,6 +11,8 @@ jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       dappUrl: ${{ steps.deploy.outputs.details_url }}
     steps:
@@ -64,6 +66,8 @@ jobs:
     name: Staging Env, Mainnet+
     uses: ./.github/workflows/app-e2e.yml
     secrets: inherit
+    permissions:
+      contents: read
     with:
       targetUrl: ${{ needs.deploy.outputs.dappUrl }}
       default_network_value_for_e2e: "/?network=mainnet"

.github/workflows/app-deploy-prod.yml

@@ -11,6 +11,8 @@ jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v3

.github/workflows/app-e2e.yml

@@ -1,4 +1,5 @@
 name: BE App E2E tests
+
 on:
   workflow_call:
     secrets:
@@ -34,6 +35,8 @@ env:
 jobs:
   e2e:
     runs-on: [self-hosted, ci-runner]
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: ./packages/app
@@ -131,6 +134,8 @@ jobs:
   publish:
     name: Publish Allure link to GIT
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: e2e
     if: always()
     steps:

.github/workflows/nodejs-license.yaml

@@ -19,25 +19,30 @@ env:
     Public Domain;
     WTFPL;
     Unlicense;
+    UNLICENSED;
   # It has to be one line, there must be no space between packages.
   EXCLUDE_PACKAGES: [email protected];[email protected];
 
 jobs:
   generate-matrix:
     name: Lists modules
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - uses: actions/checkout@v3
       - run: |
-          DIRS=$(find -not \( -path \*node_modules -prune \) -type f -name yarn.lock  | xargs dirname | awk -v RS='' -v OFS='","' 'NF { $1 = $1; print "\"" $0 "\"" }')
+          DIRS=$(find -not \( -path \*node_modules -prune \) -type f -name package.json  | xargs dirname | awk -v RS='' -v OFS='","' 'NF { $1 = $1; print "\"" $0 "\"" }')
           echo "matrix=[${DIRS}]" >> $GITHUB_OUTPUT
         id: set-matrix
 
   license-check:
     needs: [generate-matrix]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         dir: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
@@ -50,12 +55,11 @@ jobs:
         with:
           node-version: 18
 
-      - name: Install yarn
-        run: npm install -g yarn license-checker
+      - name: Install license checker
+        run: npm install -g license-checker
 
-      - name: Install dependencies in ${{ matrix.dir }}
-        working-directory: ${{ matrix.dir }}
-        run: yarn install
+      - name: Install dependencies
+        run: npm ci
 
       - name: Check licenses in ${{ matrix.dir }}
         working-directory: ${{ matrix.dir }}

.github/workflows/release.yml

@@ -10,6 +10,9 @@ jobs:
   createReleaseVersion:
     name: Create Release Version
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       releaseVersion: ${{ steps.release.outputs.releaseVersion }}
     steps:
@@ -53,6 +56,8 @@ jobs:
   deployBackendToStaging:
     name: Deploy Block Explorer backend to staging
     runs-on: [self-hosted, default]
+    permissions:
+      contents: read
     needs: createReleaseVersion
     if: ${{ github.ref == 'refs/heads/main' && needs.createReleaseVersion.outputs.releaseVersion != '' }}
     steps:
@@ -109,6 +114,8 @@ jobs:
   deployFrontendToStaging:
     name: Deploy Block Explorer frontend to staging
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: createReleaseVersion
     if: ${{ github.ref == 'refs/heads/main' && needs.createReleaseVersion.outputs.releaseVersion != '' }}
     steps:

.github/workflows/secrets_scanner.yaml

@@ -2,6 +2,8 @@ name: Leaked Secrets Scan
 on: [pull_request]
 jobs:
   TruffleHog:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code

.github/workflows/validate-pr.yml

@@ -12,6 +12,8 @@ jobs:
   label:
     name: Validate PR title
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     steps:
       - uses: amannn/action-semantic-pull-request@v5
         with:
@@ -22,6 +24,11 @@ jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: read
+      checks: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3