build: add GitHub token permissions for workflows

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io> PR-URL: https://github.com/nodejs/node/pull/43743 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
2022-07-12 14:50:46 -07:00 · 2022-07-12 14:50:46 -07:00 · d6988ec9be
commit d6988ec9be
parent feb3aa205b
24 changed files with 93 additions and 0 deletions
--- a/.github/workflows/authors.yml
+++ b/.github/workflows/authors.yml
@ -6,6 +6,9 @@ on:
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  authors_update:
    if: github.repository == 'nodejs/node'
--- a/.github/workflows/auto-start-ci.yml
+++ b/.github/workflows/auto-start-ci.yml
@ -13,8 +13,13 @@ concurrency: ${{ github.workflow }}
 env:
  NODE_VERSION: lts/*
 permissions:
  contents: read
 jobs:
  get-prs-for-ci:
    permissions:
      pull-requests: read
    if: github.repository == 'nodejs/node'
    runs-on: ubuntu-latest
    outputs:
@ -32,6 +37,9 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  start-ci:
    permissions:
      contents: read
      pull-requests: write
    needs: get-prs-for-ci
    if: needs.get-prs-for-ci.outputs.numbers != ''
    runs-on: ubuntu-latest
--- a/.github/workflows/build-tarball.yml
+++ b/.github/workflows/build-tarball.yml
@ -31,6 +31,9 @@ env:
  PYTHON_VERSION: '3.10'
  FLAKY_TESTS: dontcare
 permissions:
  contents: read
 jobs:
  build-tarball:
    if: github.event.pull_request.draft == false
--- a/.github/workflows/build-windows.yml
+++ b/.github/workflows/build-windows.yml
@ -26,6 +26,9 @@ env:
  PYTHON_VERSION: '3.10'
  FLAKY_TESTS: dontcare
 permissions:
  contents: read
 jobs:
  build-windows:
    if: github.event.pull_request.draft == false
--- a/.github/workflows/close-stale-feature-requests.yml
+++ b/.github/workflows/close-stale-feature-requests.yml
@ -28,8 +28,14 @@ env:
    [feature request management document](https://github.com/nodejs/node/blob/HEAD/doc/contributing/feature-request-management.md).
 # yamllint enable
 permissions:
  contents: read
 jobs:
  stale:
    permissions:
      issues: write  # for actions/stale to close stale issues
      pull-requests: write  # for actions/stale to close stale PRs
    if: github.repository == 'nodejs/node'
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/close-stalled.yml
+++ b/.github/workflows/close-stalled.yml
@ -9,8 +9,14 @@ env:
    is still relevant, or to ping the collaborator who labelled it stalled if
    you have any questions.
 permissions:
  contents: read
 jobs:
  stale:
    permissions:
      issues: write  # for actions/stale to close stale issues
      pull-requests: write  # for actions/stale to close stale PRs
    if: github.repository == 'nodejs/node'
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/comment-labeled.yml
+++ b/.github/workflows/comment-labeled.yml
@ -11,8 +11,14 @@ env:
    If it should remain open, please leave a comment explaining why it should remain open.
  FAST_TRACK_MESSAGE: Fast-track has been requested by @${{ github.actor }}. Please 👍 to approve.
 permissions:
  contents: read
 jobs:
  stale-comment:
    permissions:
      issues: write
      pull-requests: write
    if: github.repository == 'nodejs/node' && github.event.label.name == 'stalled'
    runs-on: ubuntu-latest
    steps:
@ -23,6 +29,8 @@ jobs:
        run: gh issue comment "$NUMBER" --repo ${{ github.repository }} --body "$STALE_MESSAGE"
  fast-track:
    permissions:
      pull-requests: write
    if: github.repository == 'nodejs/node' && github.event_name == 'pull_request_target' && github.event.label.name == 'fast-track'
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@ -5,6 +5,9 @@ on: [pull_request]
 env:
  NODE_VERSION: lts/*
 permissions:
  contents: read
 jobs:
  lint-commit-message:
    runs-on: ubuntu-latest
--- a/.github/workflows/commit-queue.yml
+++ b/.github/workflows/commit-queue.yml
@ -18,8 +18,13 @@ concurrency: ${{ github.workflow }}
 env:
  NODE_VERSION: lts/*
 permissions:
  contents: read
 jobs:
  get_mergeable_prs:
    permissions:
      pull-requests: read
    if: github.repository == 'nodejs/node'
    runs-on: ubuntu-latest
    outputs:
--- a/.github/workflows/coverage-linux.yml
+++ b/.github/workflows/coverage-linux.yml
@ -29,6 +29,9 @@ env:
  PYTHON_VERSION: '3.10'
  FLAKY_TESTS: dontcare
 permissions:
  contents: read
 jobs:
  coverage-linux:
    if: github.event.pull_request.draft == false
--- a/.github/workflows/coverage-windows.yml
+++ b/.github/workflows/coverage-windows.yml
@ -31,6 +31,9 @@ env:
  PYTHON_VERSION: '3.10'
  FLAKY_TESTS: dontcare
 permissions:
  contents: read
 jobs:
  coverage-windows:
    if: github.event.pull_request.draft == false
--- a/.github/workflows/daily.yml
+++ b/.github/workflows/daily.yml
@ -8,6 +8,9 @@ on:
 env:
  NODE_VERSION: lts/*
 permissions:
  contents: read
 jobs:
  build-lto:
    runs-on: ubuntu-latest
--- a/.github/workflows/doc.yml
+++ b/.github/workflows/doc.yml
@ -16,6 +16,9 @@ concurrency:
 env:
  NODE_VERSION: lts/*
 permissions:
  contents: read
 jobs:
  build-docs:
    if: github.event.pull_request.draft == false
--- a/.github/workflows/find-inactive-collaborators.yml
+++ b/.github/workflows/find-inactive-collaborators.yml
@ -10,6 +10,9 @@ on:
 env:
  NODE_VERSION: lts/*
 permissions:
  contents: read
 jobs:
  find:
    if: github.repository == 'nodejs/node'
--- a/.github/workflows/find-inactive-tsc.yml
+++ b/.github/workflows/find-inactive-tsc.yml
@ -10,6 +10,9 @@ on:
 env:
  NODE_VERSION: lts/*
 permissions:
  contents: read
 jobs:
  find:
    if: github.repository == 'nodejs/node'
--- a/.github/workflows/label-pr.yml
+++ b/.github/workflows/label-pr.yml
@ -4,6 +4,9 @@ on:
  pull_request_target:
    types: [opened]
 permissions:
  contents: read
 jobs:
  label:
    runs-on: ubuntu-latest
--- a/.github/workflows/license-builder.yml
+++ b/.github/workflows/license-builder.yml
@ -6,8 +6,14 @@ on:
    - cron: 0 0 * * 1
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  update_license:
    permissions:
      contents: write  # for gr2m/create-or-update-pull-request-action to push local changes
      pull-requests: write  # for gr2m/create-or-update-pull-request-action to create a PR
    if: github.repository == 'nodejs/node'
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@ -17,6 +17,9 @@ env:
  PYTHON_VERSION: '3.10'
  NODE_VERSION: lts/*
 permissions:
  contents: read
 jobs:
  lint-addon-docs:
    if: github.event.pull_request.draft == false
--- a/.github/workflows/notify-force-push.yml
+++ b/.github/workflows/notify-force-push.yml
@ -4,6 +4,9 @@ on:
      - main
 name: Notify on Force Push
 permissions:
  contents: read
 jobs:
  slackNotification:
    name: Slack Notification
--- a/.github/workflows/test-asan.yml
+++ b/.github/workflows/test-asan.yml
@ -33,6 +33,9 @@ env:
  PYTHON_VERSION: '3.10'
  FLAKY_TESTS: dontcare
 permissions:
  contents: read
 jobs:
  test-asan:
    if: github.event.pull_request.draft == false
--- a/.github/workflows/test-internet.yml
+++ b/.github/workflows/test-internet.yml
@ -24,6 +24,9 @@ env:
  PYTHON_VERSION: '3.10'
  FLAKY_TESTS: dontcare
 permissions:
  contents: read
 jobs:
  test-internet:
    runs-on: ubuntu-latest
--- a/.github/workflows/test-linux.yml
+++ b/.github/workflows/test-linux.yml
@ -26,6 +26,9 @@ env:
  PYTHON_VERSION: '3.10'
  FLAKY_TESTS: dontcare
 permissions:
  contents: read
 jobs:
  test-linux:
    if: github.event.pull_request.draft == false
--- a/.github/workflows/test-macos.yml
+++ b/.github/workflows/test-macos.yml
@ -32,6 +32,9 @@ env:
  PYTHON_VERSION: '3.10'
  FLAKY_TESTS: dontcare
 permissions:
  contents: read
 jobs:
  test-macOS:
    if: github.event.pull_request.draft == false
--- a/.github/workflows/tools.yml
+++ b/.github/workflows/tools.yml
@ -6,6 +6,9 @@ on:
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  tools-deps-update:
    if: github.repository == 'nodejs/node'