From c2991fcdc3de0a86aa1f8a471f04bc9706d37eef Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Tue, 7 Jan 2025 22:01:03 +0100 Subject: [PATCH 1/2] CI: Set workflow permissions Adviced by the GH CodeQL scanner (cherry picked from commit ce3b4ad810338ab5868bfddeff85d4231eab3952) --- .github/workflows/backport.yml | 3 +++ .github/workflows/brakeman-analysis.yml | 3 +++ .github/workflows/build_test.yml | 10 ++++++++++ .github/workflows/lint.yml | 3 +++ .github/workflows/stale.yml | 5 ++++- 5 files changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 30c503b9a0..62a1bb1857 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -6,6 +6,9 @@ on: - closed - labeled +permissions: + pull-requests: write + jobs: backport: name: Backport diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml index 51e7b0bb0f..17950dfef4 100644 --- a/.github/workflows/brakeman-analysis.yml +++ b/.github/workflows/brakeman-analysis.yml @@ -7,6 +7,9 @@ concurrency: group: brakeman-${{ github.ref_name }} cancel-in-progress: ${{ github.ref_name != 'main' }} +permissions: + contents: read + on: push: branches: [main] diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml index 08738e670b..74ac416876 100644 --- a/.github/workflows/build_test.yml +++ b/.github/workflows/build_test.yml @@ -15,6 +15,8 @@ on: jobs: check_bun_lock: + permissions: + contents: read runs-on: ubuntu-22.04 name: Check bun.lockdb steps: @@ -30,6 +32,8 @@ jobs: bun_lock_changed: ${{ steps.changed-bun-lock.outputs.any_changed }} build_javascript: + permissions: + contents: read runs-on: ubuntu-22.04 name: Build JS packages needs: check_bun_lock @@ -55,6 +59,8 @@ jobs: path: vendor/javascript RSpec: + permissions: + contents: read needs: [check_bun_lock, build_javascript] if: ${{ success('check_bun_lock') && !failure('build_javascript') }} runs-on: ubuntu-22.04 @@ -166,6 +172,8 @@ jobs: spec/dummy/tmp/screenshots PushJavascript: + permissions: + contents: write runs-on: ubuntu-22.04 needs: [check_bun_lock, RSpec] if: github.event_name == 'pull_request' @@ -198,6 +206,8 @@ jobs: branch: ${{ github.head_ref }} Jest: + permissions: + contents: read runs-on: ubuntu-22.04 env: NODE_ENV: test diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 884783a9f4..68ffea7b3c 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -6,6 +6,9 @@ concurrency: group: lint-${{ github.ref_name }} cancel-in-progress: ${{ github.ref_name != 'main' }} +permissions: + contents: read + jobs: Standard: runs-on: ubuntu-22.04 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 1821afb177..d1129b581b 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,10 +4,13 @@ on: schedule: - cron: "0 0 * * *" +permissions: + pull-requests: write + issues: write + jobs: stale: runs-on: ubuntu-22.04 - steps: - uses: actions/stale@v5 with: From 8800ce84a9fa5a8eac31df7301f3b955cdc67e8f Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Tue, 7 Jan 2025 23:00:16 +0100 Subject: [PATCH 2/2] CI: Brakeman needs security-events: write permissions In order to write code scanning alerts --- .github/workflows/brakeman-analysis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml index 17950dfef4..af75235f19 100644 --- a/.github/workflows/brakeman-analysis.yml +++ b/.github/workflows/brakeman-analysis.yml @@ -9,6 +9,7 @@ concurrency: permissions: contents: read + security-events: write on: push: