Reduce GITHUB_TOKEN perms in actions when using 3rd party scripts

This avoids allowing third parties to arbitrarily overwrite the repository.
2022-03-17 04:12:33 +00:00 · 2022-03-17 04:12:33 +00:00 · 8fd3497015
commit 8fd3497015
parent e5b3eeebd9
3 changed files with 9 additions and 1 deletions
--- a/.github/workflows/deploy-pull-request.yml
+++ b/.github/workflows/deploy-pull-request.yml
@ -6,6 +6,9 @@ on:
        - completed
 jobs:
  get-build-and-deploy:
+    permissions:
+      contents: read
+      pull-requests: write
    runs-on: ubuntu-latest
    if: >
      ${{ github.event.workflow_run.conclusion == 'success' }}
--- a/.github/workflows/netlify-dev.yml
+++ b/.github/workflows/netlify-dev.yml
@ -9,7 +9,8 @@ jobs:
  deploy-to-netlify:
    name: 'Deploy'
    runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3.0.2
--- a/.github/workflows/prod-deploy.yml
+++ b/.github/workflows/prod-deploy.yml
@ -37,6 +37,8 @@ jobs:
  deploy-to-netlify:
    name: 'Deploy to Netlify'
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3.0.2
@ -53,6 +55,8 @@ jobs:
  push_to_dockerhub:
    name: Push Docker image to Docker Hub
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3.0.2