From 8fd3497015f003c90961bcd403945f61d7a6144b Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Thu, 17 Mar 2022 04:12:33 +0000 Subject: [PATCH] Reduce GITHUB_TOKEN perms in actions when using 3rd party scripts This avoids allowing third parties to arbitrarily overwrite the repository. --- .github/workflows/deploy-pull-request.yml | 3 +++ .github/workflows/netlify-dev.yml | 3 ++- .github/workflows/prod-deploy.yml | 4 ++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy-pull-request.yml b/.github/workflows/deploy-pull-request.yml index 814a344b..c342528d 100644 --- a/.github/workflows/deploy-pull-request.yml +++ b/.github/workflows/deploy-pull-request.yml @@ -6,6 +6,9 @@ on: - completed jobs: get-build-and-deploy: + permissions: + contents: read + pull-requests: write runs-on: ubuntu-latest if: > ${{ github.event.workflow_run.conclusion == 'success' }} diff --git a/.github/workflows/netlify-dev.yml b/.github/workflows/netlify-dev.yml index 2c36f79f..bd9d163c 100644 --- a/.github/workflows/netlify-dev.yml +++ b/.github/workflows/netlify-dev.yml @@ -9,7 +9,8 @@ jobs: deploy-to-netlify: name: 'Deploy' runs-on: ubuntu-latest - + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v3.0.2 diff --git a/.github/workflows/prod-deploy.yml b/.github/workflows/prod-deploy.yml index c8b2df03..6bfb3cc9 100644 --- a/.github/workflows/prod-deploy.yml +++ b/.github/workflows/prod-deploy.yml @@ -37,6 +37,8 @@ jobs: deploy-to-netlify: name: 'Deploy to Netlify' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v3.0.2 @@ -53,6 +55,8 @@ jobs: push_to_dockerhub: name: Push Docker image to Docker Hub runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v3.0.2