This is an automated email from the ASF dual-hosted git repository.
aleks pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/fineract.git
The following commit(s) were added to refs/heads/develop by this push:
new e088e4d70 chore: Set permissions for GitHub actions
e088e4d70 is described below
commit e088e4d70d2e04853a4e1975a1c899325c64c4c1
Author: naveensrinivasan <[email protected]>
AuthorDate: Sat Apr 16 18:54:14 2022 -0500
chore: Set permissions for GitHub actions
Restrict the GitHub token permissions only to the required ones; this way,
even if the attackers will succeed in compromising your workflow, they won’t be
able to do much.
- Included permissions for the action.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn
requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
Signed-off-by: naveensrinivasan
<[email protected]>
---
.github/workflows/build-docker-postgresql.yml | 3 +++
.github/workflows/build-docker.yml | 3 +++
.github/workflows/build-postgresql.yml | 3 +++
.github/workflows/build.yml | 3 +++
.github/workflows/fineract.dev.yaml | 3 +++
.github/workflows/sonarqube.yml | 3 +++
.github/workflows/stale.yml | 6 ++++++
7 files changed, 24 insertions(+)
diff --git a/.github/workflows/build-docker-postgresql.yml
b/.github/workflows/build-docker-postgresql.yml
index e3efe6fda..2cf021969 100644
--- a/.github/workflows/build-docker-postgresql.yml
+++ b/.github/workflows/build-docker-postgresql.yml
@@ -2,6 +2,9 @@ name: Fineract Docker build for PostgreSQL
on: [push, pull_request]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-20.04
diff --git a/.github/workflows/build-docker.yml
b/.github/workflows/build-docker.yml
index 5d820b687..dc6d6c7ec 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -2,6 +2,9 @@ name: Fineract Docker build
on: [push, pull_request]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-20.04
diff --git a/.github/workflows/build-postgresql.yml
b/.github/workflows/build-postgresql.yml
index 0366f8268..b53bbe8bb 100644
--- a/.github/workflows/build-postgresql.yml
+++ b/.github/workflows/build-postgresql.yml
@@ -1,6 +1,9 @@
name: Fineract Gradle build - basicauth - PostgreSQL
on: [push, pull_request]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-20.04
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0fa6bbe55..0b6a67deb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,6 +1,9 @@
name: Fineract Gradle build - basicauth
on: [push, pull_request]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-20.04
diff --git a/.github/workflows/fineract.dev.yaml
b/.github/workflows/fineract.dev.yaml
index eed28433b..cbdb47040 100644
--- a/.github/workflows/fineract.dev.yaml
+++ b/.github/workflows/fineract.dev.yaml
@@ -15,6 +15,9 @@ on:
branches:
- develop
+permissions:
+ contents: read
+
jobs:
setup-build-deploy:
name: Deploy on Fineract.dev
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
index 450bc94eb..b98a186c6 100644
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@@ -1,6 +1,9 @@
name: Fineract Sonarqube
on: [push, pull_request]
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-20.04
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 0b2109b80..113ef1b76 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -5,8 +5,14 @@ name: Mark stale issues and pull requests
on:
schedule:
- cron: "0 0 * * *"
+permissions:
+ contents: read
+
jobs:
stale:
+ permissions:
+ issues: write # for actions/stale to close stale issues
+ pull-requests: write # for actions/stale to close stale PRs
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v5
