security: add permissions block to workflows #1136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

reakaleek merged 5 commits into main from gh-oblt/add-permission-block-to-workflows

Apr 3, 2024

Member

reakaleek commented Feb 17, 2024

Details

⚠️ This PR was created by an automated tool. Please review the changes carefully. ⚠️

We want to set the default permissions for workflows to read-only for contents.
This is a security measure to prevent accidental changes to the repository.

This change adds a top-level permissions block to all workflows in the .github/workflows directory.

permissions:
  contents: read

In some cases workflows might need more permissions than just contents: read.
Please checkout this branch and add the necessary permissions to the workflows.

If your workflow uses a Personal Access Token (PAT), we can still add the permissions block,
but it will not have any effect.

Merging this PR as is might cause workflows that need more permissions to fail.

If there are any questions, please reach out to the @elastic/observablt-ci


          security: add permissions block to workflows

9b57528

reakaleek self-assigned this

reakaleek requested a review from a team

February 17, 2024 18:59

github-actions bot added the agent-php label

reakaleek commented

View reviewed changes

.github/workflows/test-reporter.yml Show resolved Hide resolved

reakaleek commented

View reviewed changes

.github/workflows/test-packages.yml Show resolved Hide resolved

reakaleek commented

View reviewed changes

.github/workflows/labeler.yml Show resolved Hide resolved

reakaleek commented

View reviewed changes

.github/workflows/build.yml Show resolved Hide resolved

reakaleek commented

View reviewed changes

.github/workflows/build-packages.yml Show resolved Hide resolved


          Add permissions

52e9be6

v1v reviewed

View reviewed changes

.github/workflows/build.yml Outdated Show resolved Hide resolved

.github/workflows/test-packages.yml Outdated Show resolved Hide resolved

reakaleek commented

View reviewed changes

.github/workflows/build-packages.yml Outdated Show resolved Hide resolved

reakaleek commented

View reviewed changes

.github/workflows/build.yml Outdated Show resolved Hide resolved

reakaleek commented

View reviewed changes

.github/workflows/test-packages.yml Outdated Show resolved Hide resolved


          Remove actions permissions

08e3312

v1v approved these changes

View reviewed changes


          Merge branch 'main' into gh-oblt/add-permission-block-to-workflows

ce57a6a

v1v approved these changes

View reviewed changes

Member

v1v commented Mar 27, 2024

Blocked by #1144


          Merge branch 'main' into gh-oblt/add-permission-block-to-workflows

640fe46

reakaleek merged commit ccd4cfa into main

reakaleek deleted the gh-oblt/add-permission-block-to-workflows branch

April 3, 2024 12:00

v1v added a commit that referenced this pull request


          Merge remote-tracking branch 'upstream/main' into feature/provenance

f46383d

* upstream/main:
  feat: use pre-built fpm container image (#1145)
  ci(fix): use docker compose v2 instead of v1 (#1146)
  security: add permissions block to workflows (#1136)
  fix: use latest fpm version (#1144)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels