From 782c2f0f2ff11b2f0e596af56f63415e3e29c2ee Mon Sep 17 00:00:00 2001
From: Vasyl Ivanchuk <vasyl.ivanchuk@gmail.com>
Date: Tue, 26 Sep 2023 17:52:01 +0300
Subject: [PATCH] fix: set github actions permissions (#22)

---
 .github/workflows/api-e2e.yml                   |  5 +++++
 .github/workflows/app-deploy-feature-branch.yml |  6 ++++++
 .github/workflows/app-deploy-preview.yml        |  4 ++++
 .github/workflows/app-deploy-prod.yml           |  2 ++
 .github/workflows/app-e2e.yml                   |  5 +++++
 .github/workflows/nodejs-license.yaml           | 16 ++++++++++------
 .github/workflows/release.yml                   |  7 +++++++
 .github/workflows/secrets_scanner.yaml          |  2 ++
 .github/workflows/validate-pr.yml               |  7 +++++++
 9 files changed, 48 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/api-e2e.yml b/.github/workflows/api-e2e.yml
index 7e3e58c62e..7879184d36 100644
--- a/.github/workflows/api-e2e.yml
+++ b/.github/workflows/api-e2e.yml
@@ -13,6 +13,11 @@ jobs:
     name: Run E2E tests
     timeout-minutes: 10
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: read
+      checks: write
+      pull-requests: write
     defaults:
       run:
         working-directory: ./packages/api
diff --git a/.github/workflows/app-deploy-feature-branch.yml b/.github/workflows/app-deploy-feature-branch.yml
index b886f8fb1e..5b862b4edd 100644
--- a/.github/workflows/app-deploy-feature-branch.yml
+++ b/.github/workflows/app-deploy-feature-branch.yml
@@ -5,6 +5,10 @@ jobs:
   build:
     name: Build and Test App
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      checks: write
     defaults:
       run:
         working-directory: ./packages/app
@@ -65,6 +69,8 @@ jobs:
     name: Feature Env, Mainnet+
     uses: ./.github/workflows/app-e2e.yml
     secrets: inherit
+    permissions:
+      contents: read
     with:
       targetUrl: ${{ needs.build.outputs.dappUrl }}
       default_network_value_for_e2e: "/?network=mainnet"
diff --git a/.github/workflows/app-deploy-preview.yml b/.github/workflows/app-deploy-preview.yml
index 7196cdb967..1e371e4637 100644
--- a/.github/workflows/app-deploy-preview.yml
+++ b/.github/workflows/app-deploy-preview.yml
@@ -11,6 +11,8 @@ jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       dappUrl: ${{ steps.deploy.outputs.details_url }}
     steps:
@@ -64,6 +66,8 @@ jobs:
     name: Staging Env, Mainnet+
     uses: ./.github/workflows/app-e2e.yml
     secrets: inherit
+    permissions:
+      contents: read
     with:
       targetUrl: ${{ needs.deploy.outputs.dappUrl }}
       default_network_value_for_e2e: "/?network=mainnet"
diff --git a/.github/workflows/app-deploy-prod.yml b/.github/workflows/app-deploy-prod.yml
index a9bd007e3a..acf3fed16a 100644
--- a/.github/workflows/app-deploy-prod.yml
+++ b/.github/workflows/app-deploy-prod.yml
@@ -11,6 +11,8 @@ jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v3
diff --git a/.github/workflows/app-e2e.yml b/.github/workflows/app-e2e.yml
index d6090198c0..1dce661819 100644
--- a/.github/workflows/app-e2e.yml
+++ b/.github/workflows/app-e2e.yml
@@ -1,4 +1,5 @@
 name: BE App E2E tests
+
 on:
   workflow_call:
     secrets:
@@ -34,6 +35,8 @@ env:
 jobs:
   e2e:
     runs-on: [self-hosted, ci-runner]
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: ./packages/app
@@ -131,6 +134,8 @@ jobs:
   publish:
     name: Publish Allure link to GIT
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: e2e
     if: always()
     steps:
diff --git a/.github/workflows/nodejs-license.yaml b/.github/workflows/nodejs-license.yaml
index f59957d7de..03f05e0a4a 100644
--- a/.github/workflows/nodejs-license.yaml
+++ b/.github/workflows/nodejs-license.yaml
@@ -19,6 +19,7 @@ env:
     Public Domain;
     WTFPL;
     Unlicense;
+    UNLICENSED;
   # It has to be one line, there must be no space between packages.
   EXCLUDE_PACKAGES: testrpc@0.0.1;uuid@2.0.1;
 
@@ -26,18 +27,22 @@ jobs:
   generate-matrix:
     name: Lists modules
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - uses: actions/checkout@v3
       - run: |
-          DIRS=$(find -not \( -path \*node_modules -prune \) -type f -name yarn.lock  | xargs dirname | awk -v RS='' -v OFS='","' 'NF { $1 = $1; print "\"" $0 "\"" }')
+          DIRS=$(find -not \( -path \*node_modules -prune \) -type f -name package.json  | xargs dirname | awk -v RS='' -v OFS='","' 'NF { $1 = $1; print "\"" $0 "\"" }')
           echo "matrix=[${DIRS}]" >> $GITHUB_OUTPUT
         id: set-matrix
 
   license-check:
     needs: [generate-matrix]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         dir: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
@@ -50,12 +55,11 @@ jobs:
         with:
           node-version: 18
 
-      - name: Install yarn
-        run: npm install -g yarn license-checker
+      - name: Install license checker
+        run: npm install -g license-checker
 
-      - name: Install dependencies in ${{ matrix.dir }}
-        working-directory: ${{ matrix.dir }}
-        run: yarn install
+      - name: Install dependencies
+        run: npm ci
 
       - name: Check licenses in ${{ matrix.dir }}
         working-directory: ${{ matrix.dir }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1615a8f5bc..d8e3c09fd2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,9 @@ jobs:
   createReleaseVersion:
     name: Create Release Version
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       releaseVersion: ${{ steps.release.outputs.releaseVersion }}
     steps:
@@ -53,6 +56,8 @@ jobs:
   deployBackendToStaging:
     name: Deploy Block Explorer backend to staging
     runs-on: [self-hosted, default]
+    permissions:
+      contents: read
     needs: createReleaseVersion
     if: ${{ github.ref == 'refs/heads/main' && needs.createReleaseVersion.outputs.releaseVersion != '' }}
     steps:
@@ -109,6 +114,8 @@ jobs:
   deployFrontendToStaging:
     name: Deploy Block Explorer frontend to staging
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: createReleaseVersion
     if: ${{ github.ref == 'refs/heads/main' && needs.createReleaseVersion.outputs.releaseVersion != '' }}
     steps:
diff --git a/.github/workflows/secrets_scanner.yaml b/.github/workflows/secrets_scanner.yaml
index 54054cf7cc..11468e7c94 100644
--- a/.github/workflows/secrets_scanner.yaml
+++ b/.github/workflows/secrets_scanner.yaml
@@ -2,6 +2,8 @@ name: Leaked Secrets Scan
 on: [pull_request]
 jobs:
   TruffleHog:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml
index e0e54ad6e2..539a8e0679 100644
--- a/.github/workflows/validate-pr.yml
+++ b/.github/workflows/validate-pr.yml
@@ -12,6 +12,8 @@ jobs:
   label:
     name: Validate PR title
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     steps:
       - uses: amannn/action-semantic-pull-request@v5
         with:
@@ -22,6 +24,11 @@ jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: read
+      checks: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3