From 1d45ca58c86ac103ea624c3af3c81c20863950ad Mon Sep 17 00:00:00 2001 From: Alex <93376818+sashashura@users.noreply.github.com> Date: Sun, 28 Aug 2022 18:20:03 +0200 Subject: [PATCH] Harden GitHub Workflows security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Michael Voříšek Closes GH-9440. --- .github/workflows/close-needs-feedback.yml | 6 ++++++ .github/workflows/close-stale-feature-requests.yml | 6 ++++++ .github/workflows/close-stale-prs.yml | 6 ++++++ .github/workflows/nightly.yml | 2 ++ .github/workflows/push.yml | 2 ++ .github/workflows/remove-needs-feedback.yml | 6 ++++++ 6 files changed, 28 insertions(+) diff --git a/.github/workflows/close-needs-feedback.yml b/.github/workflows/close-needs-feedback.yml index 7197598f38c49..27231303f16e5 100644 --- a/.github/workflows/close-needs-feedback.yml +++ b/.github/workflows/close-needs-feedback.yml @@ -4,10 +4,16 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: build: if: github.repository_owner == 'php' runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - name: Close old issues that need feedback uses: dwieeb/needs-reply@v2 diff --git a/.github/workflows/close-stale-feature-requests.yml b/.github/workflows/close-stale-feature-requests.yml index b6727dc2401d5..685bdced92ec3 100644 --- a/.github/workflows/close-stale-feature-requests.yml +++ b/.github/workflows/close-stale-feature-requests.yml @@ -4,10 +4,16 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: stale: if: github.repository_owner == 'php' runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/stale@v4 with: diff --git a/.github/workflows/close-stale-prs.yml b/.github/workflows/close-stale-prs.yml index e5fbacff5d152..ca4317be1e0f9 100644 --- a/.github/workflows/close-stale-prs.yml +++ b/.github/workflows/close-stale-prs.yml @@ -4,10 +4,16 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: stale: if: github.repository_owner == 'php' runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/stale@v4 with: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 7bed10529f647..13f0dc0864749 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -3,6 +3,8 @@ on: schedule: - cron: "0 1 * * *" workflow_dispatch: ~ +permissions: + contents: read jobs: GENERATE_MATRIX: name: Generate Matrix diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 38dad5e8f8fda..abe9a104429d1 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -17,6 +17,8 @@ on: pull_request: branches: - '**' +permissions: + contents: read jobs: LINUX_X64: strategy: diff --git a/.github/workflows/remove-needs-feedback.yml b/.github/workflows/remove-needs-feedback.yml index fded33b442081..8d1ff3e0a0712 100644 --- a/.github/workflows/remove-needs-feedback.yml +++ b/.github/workflows/remove-needs-feedback.yml @@ -5,10 +5,16 @@ on: types: - created +permissions: + contents: read + jobs: build: if: "github.repository_owner == 'php' && contains(github.event.issue.labels.*.name, 'Status: Needs Feedback') && github.event.issue.user.login == github.event.sender.login" runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions-ecosystem/action-remove-labels@v1 with: