OrgGo
/
shirou_gopsutil
mirror of https://hub.fastgit.org/shirou/gopsutil.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

chore: Set permissions for GitHub actions 

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: nathannaveen <42319948+nathannaveen@users.noreply.github.com>
This commit is contained in:
nathannaveen 2022-05-05 01:31:24 +00:00
parent 24a1ae54b4
commit 3a2c8dd4f8
6 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/build_test.yml vendored
View File

@ -1,5 +1,8 @@
on: [push, pull_request] on: [push, pull_request]
name: Build Test name: Build Test
permissions:
contents: read
jobs: jobs:
build_test_v3: build_test_v3:
strategy: strategy:

6
.github/workflows/labeler.yml vendored
View File

@ -2,8 +2,14 @@ name: "Pull Request Labeler"
on: on:
- pull_request_target - pull_request_target
permissions:
contents: read
jobs: jobs:
triage: triage:
permissions:
contents: read # for actions/labeler to determine modified files
pull-requests: write # for actions/labeler to add labels to PRs
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/labeler@v4 - uses: actions/labeler@v4

6
.github/workflows/lint.yml vendored
View File

@ -4,8 +4,14 @@ on:
push: push:
pull_request: pull_request:
permissions:
contents: read
jobs: jobs:
golangci: golangci:
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
name: lint name: lint
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

3
.github/workflows/release.yml vendored
View File

@ -3,6 +3,9 @@ on:
- cron: '0 1 1 * *' # UTC 01:00 on the first day of the Month - cron: '0 1 1 * *' # UTC 01:00 on the first day of the Month
name: Release name: Release
permissions:
contents: read
jobs: jobs:
release: release:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/shellcheck.yml vendored
View File

@ -1,5 +1,8 @@
on: [push, pull_request] on: [push, pull_request]
name: Shellcheck name: Shellcheck
permissions:
contents: read
jobs: jobs:
shellcheck: shellcheck:
name: Shellcheck name: Shellcheck

3
.github/workflows/test.yml vendored
View File

@ -1,5 +1,8 @@
on: [push, pull_request] on: [push, pull_request]
name: Test name: Test
permissions:
contents: read
jobs: jobs:
test_v3_module: test_v3_module:
strategy: strategy: