This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 00cc4386e chore: Set permissions for GitHub actions (#6986)
00cc4386e is described below
commit 00cc4386eeef8632ec7a80f2e93d36820579ea20
Author: Naveen <[email protected]>
AuthorDate: Fri May 6 21:21:45 2022 -0500
chore: Set permissions for GitHub actions (#6986)
Restrict the GitHub token permissions only to the required ones; this way,
even if the attackers will succeed in compromising your workflow, they won’t be
able to do much.
- Included permissions for the action.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn
requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
Signed-off-by: naveen <[email protected]>
---
.github/workflows/build.yml | 3 +++
.github/workflows/centos7-ci.yml | 3 +++
.github/workflows/chaos.yml | 3 +++
.github/workflows/cli-master.yml | 3 +++
.github/workflows/cli.yml | 3 +++
.github/workflows/code-lint.yml | 3 +++
.github/workflows/doc-lint.yml | 3 +++
.github/workflows/fuzzing-ci.yaml | 3 +++
.github/workflows/kubernetes-ci.yml | 3 +++
.github/workflows/lint.yml | 3 +++
.github/workflows/performance.yml | 3 +++
.github/workflows/stale.yml | 6 ++++++
.github/workflows/tars-ci.yml | 3 +++
13 files changed, 42 insertions(+)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a47e69741..2fe71b9a1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -16,6 +16,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/master' &&
github.run_number || github.ref }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
build:
strategy:
diff --git a/.github/workflows/centos7-ci.yml b/.github/workflows/centos7-ci.yml
index f5485dc13..b5ef89c07 100644
--- a/.github/workflows/centos7-ci.yml
+++ b/.github/workflows/centos7-ci.yml
@@ -16,6 +16,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/master' &&
github.run_number || github.ref }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
test_apisix:
name: run ci on centos7
diff --git a/.github/workflows/chaos.yml b/.github/workflows/chaos.yml
index 147e0235d..677b6150d 100644
--- a/.github/workflows/chaos.yml
+++ b/.github/workflows/chaos.yml
@@ -11,6 +11,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/master' &&
github.run_number || github.ref }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
chaos-test:
runs-on: ubuntu-latest
diff --git a/.github/workflows/cli-master.yml b/.github/workflows/cli-master.yml
index f707b77f6..32c30b273 100644
--- a/.github/workflows/cli-master.yml
+++ b/.github/workflows/cli-master.yml
@@ -16,6 +16,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/master' &&
github.run_number || github.ref }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
build:
strategy:
diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
index 901c73829..1dc9e6a9d 100644
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -16,6 +16,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/master' &&
github.run_number || github.ref }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
build:
strategy:
diff --git a/.github/workflows/code-lint.yml b/.github/workflows/code-lint.yml
index fee2be1a8..fb61da125 100644
--- a/.github/workflows/code-lint.yml
+++ b/.github/workflows/code-lint.yml
@@ -7,6 +7,9 @@ on:
- 'docs/**'
- '**/*.md'
+permissions:
+ contents: read
+
jobs:
lint:
runs-on: ubuntu-latest
diff --git a/.github/workflows/doc-lint.yml b/.github/workflows/doc-lint.yml
index 2b4d0a710..920ebc454 100644
--- a/.github/workflows/doc-lint.yml
+++ b/.github/workflows/doc-lint.yml
@@ -7,6 +7,9 @@ on:
- 'docs/**'
- '**/*.md'
+permissions:
+ contents: read
+
jobs:
markdownlint:
name: 🍇 Markdown
diff --git a/.github/workflows/fuzzing-ci.yaml
b/.github/workflows/fuzzing-ci.yaml
index fbbd6211c..426ebcc37 100644
--- a/.github/workflows/fuzzing-ci.yaml
+++ b/.github/workflows/fuzzing-ci.yaml
@@ -16,6 +16,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/master' &&
github.run_number || github.ref }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
test_apisix:
name: run fuzzing
diff --git a/.github/workflows/kubernetes-ci.yml
b/.github/workflows/kubernetes-ci.yml
index c09157d66..5534cc4f4 100644
--- a/.github/workflows/kubernetes-ci.yml
+++ b/.github/workflows/kubernetes-ci.yml
@@ -16,6 +16,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/master' &&
github.run_number || github.ref }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
kubernetes-discovery:
strategy:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 845bee717..aa3b4c10a 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,6 +2,9 @@ name: ❄️ Lint
on: [pull_request]
+permissions:
+ contents: read
+
jobs:
misc:
name: misc checker
diff --git a/.github/workflows/performance.yml
b/.github/workflows/performance.yml
index 8182d17c0..0f022df60 100644
--- a/.github/workflows/performance.yml
+++ b/.github/workflows/performance.yml
@@ -7,6 +7,9 @@ on:
- 'docs/**'
- '**/*.md'
+permissions:
+ contents: read
+
jobs:
performance:
if: github.event_name == 'pull_request' && github.event.label.name ==
'performance'
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 62b1722f8..7a41b11c1 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -5,8 +5,14 @@ on:
schedule:
- cron: '0 10 * * *'
+permissions:
+ contents: read
+
jobs:
prune_stale:
+ permissions:
+ issues: write # for actions/stale to close stale issues
+ pull-requests: write # for actions/stale to close stale PRs
name: Prune Stale
runs-on: ubuntu-latest
timeout-minutes: 10
diff --git a/.github/workflows/tars-ci.yml b/.github/workflows/tars-ci.yml
index bd22c0a0f..c939fd240 100644
--- a/.github/workflows/tars-ci.yml
+++ b/.github/workflows/tars-ci.yml
@@ -16,6 +16,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/master' &&
github.run_number || github.ref }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
tars:
strategy:
