Skip to content

Commit 1e0c517

Browse files
committed
Merge branch 'lukas/gh/maint-26' into maint-26
* lukas/gh/maint-26: gh: Limit scope of GITHUB_TOKEN and only use permissions where needed github: add OSV automated vulnerability checking
2 parents 57f154f + 58b45f2 commit 1e0c517

File tree

7 files changed

+27
-7
lines changed

7 files changed

+27
-7
lines changed

.github/workflows/actions-updater.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ on:
77
# Automatically run on every Sunday
88
- cron: '0 0 * * 0'
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
build:
1215
runs-on: ubuntu-latest

.github/workflows/main.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,9 @@ env:
3030
## Equivalent to github.event_name == 'pull_request' ? github.base_ref : github.ref_name
3131
BASE_BRANCH: ${{ github.event_name == 'pull_request' && github.base_ref || github.ref_name }}
3232

33+
permissions:
34+
contents: read
35+
3336
jobs:
3437

3538
pack:

.github/workflows/osv-scanner-scheduled.yml

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -10,12 +10,6 @@ on:
1010
- cron: 0 1 * * *
1111

1212
permissions:
13-
# Required to upload SARIF file to CodeQL.
14-
# See: https://github.com/github/codeql-action/issues/2117
15-
actions: read
16-
# Require writing security events to upload SARIF file to security tab
17-
security-events: write
18-
# Only need to read contents
1913
contents: read
2014

2115
jobs:
@@ -72,4 +66,12 @@ jobs:
7266
# run-scheduled-scan triggers this job
7367
# PRs and pushes trigger this job
7468
if: github.event_name != 'schedule'
69+
permissions:
70+
# Required to upload SARIF file to CodeQL.
71+
# See: https://github.com/github/codeql-action/issues/2117
72+
actions: read
73+
# Require writing security events to upload SARIF file to security tab
74+
security-events: write
75+
# Only needs to read contents
76+
contents: read
7577
uses: "google/osv-scanner-action/.github/workflows/[email protected]"

.github/workflows/pr-comment.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ on:
1212
# Limit concurrency so that we don't get any races between parallel actions
1313
concurrency: pr-comment
1414

15+
permissions:
16+
contents: read
17+
1518
jobs:
1619
pr-number:
1720
runs-on: ubuntu-20.04

.github/workflows/sync-github-prs.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ on:
77
## In UTC
88
- cron: '0 */4 * * *'
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114

1215
sync-prs:

.github/workflows/sync-github-releases.yaml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ on:
99

1010
## Needed to create releases
1111
permissions:
12-
contents: write
12+
contents: read
1313

1414
## Build base images to be used by other github workflows
1515
jobs:
@@ -18,6 +18,9 @@ jobs:
1818
if: github.repository == 'erlang/otp'
1919
concurrency: sync-github-releases
2020
runs-on: ubuntu-latest
21+
permissions:
22+
## Needed to create releases
23+
contents: write
2124
steps:
2225
- uses: actions/[email protected]
2326
## We need to login to the package registry in order to pull

.github/workflows/update-base.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ on:
77
## In UTC
88
- cron: '0 0 * * *'
99

10+
permissions:
11+
contents: read
12+
1013
## Build base images to be used by other github workflows
1114
jobs:
1215

0 commit comments

Comments
 (0)