From 44a4e69a62edf2a3f1f7bd39033bb8174ee7ae83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matou=C5=A1=20Volf?= Date: Thu, 15 Aug 2024 13:50:01 +0200 Subject: [PATCH] ci: restrict the CI actions permissions --- .github/workflows/conventional-commits.yml | 7 +++++++ .github/workflows/conventional-pull-requests.yml | 7 +++++++ .github/workflows/lint.yml | 1 + 3 files changed, 15 insertions(+) diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml index 5ebc73b..2ea04ff 100644 --- a/.github/workflows/conventional-commits.yml +++ b/.github/workflows/conventional-commits.yml @@ -4,10 +4,17 @@ on: pull_request: types: [ opened, synchronize, reopened, edited ] +permissions: { } + jobs: build: name: conventional commits runs-on: ubuntu-22.04 + permissions: + contents: read + pull-requests: read + packages: read + statuses: write steps: - name: checkout code uses: actions/checkout@v3 diff --git a/.github/workflows/conventional-pull-requests.yml b/.github/workflows/conventional-pull-requests.yml index a9ffc80..65331b2 100644 --- a/.github/workflows/conventional-pull-requests.yml +++ b/.github/workflows/conventional-pull-requests.yml @@ -4,10 +4,17 @@ on: pull_request: types: [ opened, synchronize, reopened, edited ] +permissions: { } + jobs: build: name: conventional pull requests runs-on: ubuntu-22.04 + permissions: + contents: read + pull-requests: read + packages: read + statuses: write steps: - name: conventional pull requests check uses: ytanikin/PRConventionalCommits@1.1.0 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index f0b0d16..274d9d8 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -12,6 +12,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + pull-requests: read packages: read statuses: write steps: