Merge pull request #913 from step-security-bot/stepsecurity_remediati…

…on_1717354875 [StepSecurity] ci: Harden GitHub Actions
nodenv · Jun 2, 2024 · 31982a8 · 31982a8
2 parents 325a9d2 + d7f1596
commit 31982a8
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 2 deletions.
diff --git a/.github/workflows/definitions.yml b/.github/workflows/definitions.yml
@@ -3,6 +3,8 @@ on:
   schedule: [{cron: '0 */6 * * *'}] # 6hrly https://crontab.guru/#0_*/6_*_*_*
   workflow_dispatch:
 
+permissions: {contents: read}
+
 jobs:
   scrape:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,6 +2,8 @@ name: Release
 on:
   push: { tags: 'v[0-9]+.[0-9]+.[0-9]+*' }
 
+permissions: {contents: read}
+
 jobs:
   release:
     permissions: { contents: write, id-token: write}

diff --git a/.github/workflows/sync-default-branch.yml b/.github/workflows/sync-default-branch.yml
@@ -3,7 +3,7 @@ on:
   push: { branches: main }
   workflow_dispatch:
 
-permissions: { contents: write }
+permissions: {contents: write}
 
 jobs:
   sync:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -5,7 +5,7 @@ on:
   schedule: [{cron: '0 0 10 * *'}] # monthly https://crontab.guru/#0_0_10_*_*
   workflow_dispatch:
 
-permissions: read-all
+permissions: {contents: read}
 
 jobs:
   test:

diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
@@ -3,6 +3,8 @@ on:
   schedule: [{ cron: '0 10 * * *' }] # daily: https://crontab.guru/#0_10_*_*_*
   workflow_dispatch:
 
+permissions: {contents: read}
+
 jobs:
   bump:
     runs-on: ubuntu-latest