fix: set github actions permissions

matter-labs · Sep 26, 2023 · d158689 · d158689
1 parent 697d8f5
commit d158689
Show file tree

Hide file tree

Showing 9 changed files with 41 additions and 0 deletions.
diff --git a/.github/workflows/api-e2e.yml b/.github/workflows/api-e2e.yml
@@ -13,6 +13,11 @@ jobs:
     name: Run E2E tests
     timeout-minutes: 10
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: read
+      checks: write
+      pull-requests: write
     defaults:
       run:
         working-directory: ./packages/api

diff --git a/.github/workflows/app-deploy-feature-branch.yml b/.github/workflows/app-deploy-feature-branch.yml
@@ -5,6 +5,9 @@ jobs:
   build:
     name: Build and Test App
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     defaults:
       run:
         working-directory: ./packages/app
@@ -65,6 +68,8 @@ jobs:
     name: Feature Env, Mainnet+
     uses: ./.github/workflows/app-e2e.yml
     secrets: inherit
+    permissions:
+      contents: read
     with:
       targetUrl: ${{ needs.build.outputs.dappUrl }}
       default_network_value_for_e2e: "/?network=mainnet"

diff --git a/.github/workflows/app-deploy-preview.yml b/.github/workflows/app-deploy-preview.yml
@@ -11,6 +11,8 @@ jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       dappUrl: ${{ steps.deploy.outputs.details_url }}
     steps:
@@ -64,6 +66,8 @@ jobs:
     name: Staging Env, Mainnet+
     uses: ./.github/workflows/app-e2e.yml
     secrets: inherit
+    permissions:
+      contents: read
     with:
       targetUrl: ${{ needs.deploy.outputs.dappUrl }}
       default_network_value_for_e2e: "/?network=mainnet"

diff --git a/.github/workflows/app-deploy-prod.yml b/.github/workflows/app-deploy-prod.yml
@@ -11,6 +11,8 @@ jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v3

diff --git a/.github/workflows/app-e2e.yml b/.github/workflows/app-e2e.yml
@@ -1,4 +1,5 @@
 name: BE App E2E tests
+
 on:
   workflow_call:
     secrets:
@@ -34,6 +35,8 @@ env:
 jobs:
   e2e:
     runs-on: [self-hosted, ci-runner]
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: ./packages/app
@@ -131,6 +134,8 @@ jobs:
   publish:
     name: Publish Allure link to GIT
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: e2e
     if: always()
     steps:

diff --git a/.github/workflows/nodejs-license.yaml b/.github/workflows/nodejs-license.yaml
@@ -26,6 +26,8 @@ jobs:
   generate-matrix:
     name: Lists modules
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
@@ -38,6 +40,8 @@ jobs:
   license-check:
     needs: [generate-matrix]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         dir: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,6 +10,9 @@ jobs:
   createReleaseVersion:
     name: Create Release Version
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       releaseVersion: ${{ steps.release.outputs.releaseVersion }}
     steps:
@@ -53,6 +56,8 @@ jobs:
   deployBackendToStaging:
     name: Deploy Block Explorer backend to staging
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: createReleaseVersion
     if: ${{ github.ref == 'refs/heads/main' && needs.createReleaseVersion.outputs.releaseVersion != '' }}
     steps:
@@ -109,6 +114,8 @@ jobs:
   deployFrontendToStaging:
     name: Deploy Block Explorer frontend to staging
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: createReleaseVersion
     if: ${{ github.ref == 'refs/heads/main' && needs.createReleaseVersion.outputs.releaseVersion != '' }}
     steps:

diff --git a/.github/workflows/secrets_scanner.yaml b/.github/workflows/secrets_scanner.yaml
@@ -2,6 +2,8 @@ name: Leaked Secrets Scan
 on: [pull_request]
 jobs:
   TruffleHog:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code

diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml
@@ -12,6 +12,8 @@ jobs:
   label:
     name: Validate PR title
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     steps:
       - uses: amannn/action-semantic-pull-request@v5
         with:
@@ -22,6 +24,11 @@ jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: read
+      checks: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3