1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

build: add GitHub token permissions for workflows

Browse Source 
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>

PR-URL: https://github.com/nodejs/node/pull/43743
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This commit is contained in:
Varun Sharma 2022-07-12 14:50:46 -07:00 committed by GitHub
parent feb3aa205b
commit d6988ec9be
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 93 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/authors.yml vendored
View File

@ -6,6 +6,9 @@ on:
workflow_dispatch:
permissions:
contents: read
jobs:
authors_update:
if: github.repository == 'nodejs/node'

8
.github/workflows/auto-start-ci.yml vendored
View File

@ -13,8 +13,13 @@ concurrency: ${{ github.workflow }}
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
get-prs-for-ci:
permissions:
pull-requests: read
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
outputs:
@ -32,6 +37,9 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
start-ci:
permissions:
contents: read
pull-requests: write
needs: get-prs-for-ci
if: needs.get-prs-for-ci.outputs.numbers != ''
runs-on: ubuntu-latest

3
.github/workflows/build-tarball.yml vendored
View File

@ -31,6 +31,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare
permissions:
contents: read
jobs:
build-tarball:
if: github.event.pull_request.draft == false

3
.github/workflows/build-windows.yml vendored
View File

@ -26,6 +26,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare
permissions:
contents: read
jobs:
build-windows:
if: github.event.pull_request.draft == false

6
.github/workflows/close-stale-feature-requests.yml vendored
View File

@ -28,8 +28,14 @@ env:
[feature request management document](https://github.com/nodejs/node/blob/HEAD/doc/contributing/feature-request-management.md).
# yamllint enable
permissions:
contents: read
jobs:
stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
steps:

6
.github/workflows/close-stalled.yml vendored
View File

@ -9,8 +9,14 @@ env:
is still relevant, or to ping the collaborator who labelled it stalled if
you have any questions.
permissions:
contents: read
jobs:
stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
steps:

8
.github/workflows/comment-labeled.yml vendored
View File

@ -11,8 +11,14 @@ env:
If it should remain open, please leave a comment explaining why it should remain open.
FAST_TRACK_MESSAGE: Fast-track has been requested by @${{ github.actor }}. Please 👍 to approve.
permissions:
contents: read
jobs:
stale-comment:
permissions:
issues: write
pull-requests: write
if: github.repository == 'nodejs/node' && github.event.label.name == 'stalled'
runs-on: ubuntu-latest
steps:
@ -23,6 +29,8 @@ jobs:
run: gh issue comment "$NUMBER" --repo ${{ github.repository }} --body "$STALE_MESSAGE"
fast-track:
permissions:
pull-requests: write
if: github.repository == 'nodejs/node' && github.event_name == 'pull_request_target' && github.event.label.name == 'fast-track'
runs-on: ubuntu-latest
steps:

3
.github/workflows/commit-lint.yml vendored
View File

@ -5,6 +5,9 @@ on: [pull_request]
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
lint-commit-message:
runs-on: ubuntu-latest

5
.github/workflows/commit-queue.yml vendored
View File

@ -18,8 +18,13 @@ concurrency: ${{ github.workflow }}
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
get_mergeable_prs:
permissions:
pull-requests: read
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
outputs:

3
.github/workflows/coverage-linux.yml vendored
View File

@ -29,6 +29,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare
permissions:
contents: read
jobs:
coverage-linux:
if: github.event.pull_request.draft == false

3
.github/workflows/coverage-windows.yml vendored
View File

@ -31,6 +31,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare
permissions:
contents: read
jobs:
coverage-windows:
if: github.event.pull_request.draft == false

3
.github/workflows/daily.yml vendored
View File

@ -8,6 +8,9 @@ on:
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
build-lto:
runs-on: ubuntu-latest

3
.github/workflows/doc.yml vendored
View File

@ -16,6 +16,9 @@ concurrency:
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
build-docs:
if: github.event.pull_request.draft == false

3
.github/workflows/find-inactive-collaborators.yml vendored
View File

@ -10,6 +10,9 @@ on:
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
find:
if: github.repository == 'nodejs/node'

3
.github/workflows/find-inactive-tsc.yml vendored
View File

@ -10,6 +10,9 @@ on:
env:
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
find:
if: github.repository == 'nodejs/node'

3
.github/workflows/label-pr.yml vendored
View File

@ -4,6 +4,9 @@ on:
pull_request_target:
types: [opened]
permissions:
contents: read
jobs:
label:
runs-on: ubuntu-latest

6
.github/workflows/license-builder.yml vendored
View File

@ -6,8 +6,14 @@ on:
- cron: 0 0 * * 1
workflow_dispatch:
permissions:
contents: read
jobs:
update_license:
permissions:
contents: write # for gr2m/create-or-update-pull-request-action to push local changes
pull-requests: write # for gr2m/create-or-update-pull-request-action to create a PR
if: github.repository == 'nodejs/node'
runs-on: ubuntu-latest
steps:

3
.github/workflows/linters.yml vendored
View File

@ -17,6 +17,9 @@ env:
PYTHON_VERSION: '3.10'
NODE_VERSION: lts/*
permissions:
contents: read
jobs:
lint-addon-docs:
if: github.event.pull_request.draft == false

3
.github/workflows/notify-force-push.yml vendored
View File

@ -4,6 +4,9 @@ on:
- main
name: Notify on Force Push
permissions:
contents: read
jobs:
slackNotification:
name: Slack Notification

3
.github/workflows/test-asan.yml vendored
View File

@ -33,6 +33,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare
permissions:
contents: read
jobs:
test-asan:
if: github.event.pull_request.draft == false

3
.github/workflows/test-internet.yml vendored
View File

@ -24,6 +24,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare
permissions:
contents: read
jobs:
test-internet:
runs-on: ubuntu-latest

3
.github/workflows/test-linux.yml vendored
View File

@ -26,6 +26,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare
permissions:
contents: read
jobs:
test-linux:
if: github.event.pull_request.draft == false

3
.github/workflows/test-macos.yml vendored
View File

@ -32,6 +32,9 @@ env:
PYTHON_VERSION: '3.10'
FLAKY_TESTS: dontcare
permissions:
contents: read
jobs:
test-macOS:
if: github.event.pull_request.draft == false

3
.github/workflows/tools.yml vendored
View File

@ -6,6 +6,9 @@ on:
workflow_dispatch:
permissions:
contents: read
jobs:
tools-deps-update:
if: github.repository == 'nodejs/node'