From 30b4f27876793e04c3859a08b0fcccebae234f97 Mon Sep 17 00:00:00 2001 From: Daniel Weck Date: Thu, 21 Mar 2024 10:17:37 +0000 Subject: [PATCH] fix(CI): GitHub Action YAML Workflow now includes explicit allow-list of permissions for less permissive GITHUB_TOKEN --- .github/workflows/deploy | 18 +++++++++++++++++- .github/workflows/deploy_docsy.yml | 16 ++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy b/.github/workflows/deploy index ed556b9a..0cecb8ea 100644 --- a/.github/workflows/deploy +++ b/.github/workflows/deploy @@ -1,7 +1,23 @@ name: Build with Hugo on: [push, pull_request] - + +# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token +# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + actions: none + checks: none + contents: write + deployments: none + id-token: none + issues: none + packages: none + pages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + jobs: deploy: runs-on: ubuntu-22.04 diff --git a/.github/workflows/deploy_docsy.yml b/.github/workflows/deploy_docsy.yml index 3d916822..08264837 100644 --- a/.github/workflows/deploy_docsy.yml +++ b/.github/workflows/deploy_docsy.yml @@ -5,6 +5,22 @@ on: branches: - main +# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token +# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + actions: none + checks: none + contents: write + deployments: none + id-token: none + issues: none + packages: none + pages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: