From 4ab66cc939c2912f83c628820db70562874f2f14 Mon Sep 17 00:00:00 2001 From: erezrokah Date: Mon, 29 Sep 2025 14:50:51 +0100 Subject: [PATCH] chore: Add permissions to all workflows --- .github/workflows/add_tags.yml | 15 --------------- .github/workflows/lint_golang.yml | 3 +++ .github/workflows/lint_markdown.yml | 5 ++++- .github/workflows/pr_title.yml | 5 ++++- .github/workflows/release_pr.yml | 3 +++ .github/workflows/unittest.yml | 3 +++ 6 files changed, 17 insertions(+), 17 deletions(-) delete mode 100644 .github/workflows/add_tags.yml diff --git a/.github/workflows/add_tags.yml b/.github/workflows/add_tags.yml deleted file mode 100644 index 9b62d7c6..00000000 --- a/.github/workflows/add_tags.yml +++ /dev/null @@ -1,15 +0,0 @@ -# Warning, do not check out untrusted code with -# the pull_request_target event. -# the current workflow IS safe as long as you dont checkout untrusted code -# https://nathandavison.com/blog/github-actions-and-the-threat-of-malicious-pull-requests -on: - pull_request_target: - types: [opened, edited] -name: conventional-release-labels -jobs: - label: - runs-on: ubuntu-latest - steps: - - uses: bcoe/conventional-release-labels@v1 - with: - type_labels: '{ "feat": "feat", "fix": "fix", "chore": "chore", "refactor": "refactor", "test": "test", "breaking": "breaking" }' \ No newline at end of file diff --git a/.github/workflows/lint_golang.yml b/.github/workflows/lint_golang.yml index 039f6846..4c3bb655 100644 --- a/.github/workflows/lint_golang.yml +++ b/.github/workflows/lint_golang.yml @@ -7,6 +7,9 @@ on: branches: - main +permissions: + contents: read + jobs: golangci: name: Lint with GolangCI diff --git a/.github/workflows/lint_markdown.yml b/.github/workflows/lint_markdown.yml index 28082eb6..8acae720 100644 --- a/.github/workflows/lint_markdown.yml +++ b/.github/workflows/lint_markdown.yml @@ -6,6 +6,9 @@ on: - ".github/workflow/lint_markdown.yml" - "**.md" +permissions: + contents: read + jobs: lint-grammar: runs-on: ubuntu-latest @@ -18,7 +21,7 @@ jobs: vale_flags: "--glob=!{CHANGELOG.md,.github/styles/proselint/README.md}" filter_mode: nofilter fail_on_error: true - version: '3.0.3' + version: "3.0.3" env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} lint-structure: diff --git a/.github/workflows/pr_title.yml b/.github/workflows/pr_title.yml index 8511fa9f..8a6f52af 100644 --- a/.github/workflows/pr_title.yml +++ b/.github/workflows/pr_title.yml @@ -7,6 +7,9 @@ on: - edited - synchronize +permissions: + pull-requests: read + jobs: main: name: Validate PR title @@ -44,7 +47,7 @@ jobs: # special "[WIP]" prefix to indicate this state. This will avoid the # validation of the PR title and the pull request checks remain pending. # Note that a second check will be reported if this is enabled. - wip: true + wip: false # When using "Squash and merge" on a PR with only one commit, GitHub # will suggest using that commit message instead of the PR title for the # merge commit, and it's easy to commit this by mistake. Enable this option diff --git a/.github/workflows/release_pr.yml b/.github/workflows/release_pr.yml index 27acff63..1eb9ee77 100644 --- a/.github/workflows/release_pr.yml +++ b/.github/workflows/release_pr.yml @@ -4,6 +4,9 @@ on: branches: - main +permissions: + contents: read + jobs: release-please: runs-on: ubuntu-latest diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml index 57479feb..91a8e024 100644 --- a/.github/workflows/unittest.yml +++ b/.github/workflows/unittest.yml @@ -7,6 +7,9 @@ on: branches: - main +permissions: + contents: read + jobs: unitests: runs-on: ubuntu-latest