From 354d8dfe8810c2073e0b83f6d74c0e1ea5376d48 Mon Sep 17 00:00:00 2001
From: matfax <mat@fax.fyi>
Date: Tue, 11 Jul 2023 17:57:28 +0200
Subject: [PATCH] ci: added GitHub Actions permissions monitoring

Added the GitHubSecurityLab/actions-permissions/monitor action to advisor.yml, build.yml, and publish.yml files. This action will monitor permissions based on the provided config file.
---
 .github/workflows/advisor.yml | 26 ++++++++++++++++++++++++++
 .github/workflows/black.yml   |  3 +++
 .github/workflows/build.yml   |  3 +++
 .github/workflows/publish.yml |  3 +++
 4 files changed, 35 insertions(+)
 create mode 100644 .github/workflows/advisor.yml

diff --git a/.github/workflows/advisor.yml b/.github/workflows/advisor.yml
new file mode 100644
index 0000000..8034883
--- /dev/null
+++ b/.github/workflows/advisor.yml
@@ -0,0 +1,26 @@
+name: permissions advisor
+
+permissions:
+  actions: read
+
+on:
+  workflow_dispatch:
+    inputs:
+      name:
+        description: 'The name of the workflow file to analyze'
+        required: true
+        type: string
+      count:
+        description: 'How many last runs to analyze'
+        required: false
+        type: number
+        default: 10
+
+jobs:
+  advisor:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: GitHubSecurityLab/actions-permissions/advisor@v1.0.0
+      with:
+        name: ${{ inputs.name }}
+        count: ${{ inputs.count }}
diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
index dec9283..4417d6a 100644
--- a/.github/workflows/black.yml
+++ b/.github/workflows/black.yml
@@ -24,6 +24,9 @@ jobs:
       run:
         shell: bash
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1.0.0
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - uses: actions/checkout@v3.5.3
       - name: setting up python ${{ matrix.python-version }}
         uses: actions/setup-python@v4.6.1
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 97df727..46e05ad 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -24,6 +24,9 @@ jobs:
         shell: bash
     name: python ${{ matrix.python-version }} on ${{ matrix.os }}
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1.0.0
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - uses: actions/checkout@v3.5.3
       - name: setting up python ${{ matrix.python-version }}
         uses: actions/setup-python@v4.6.1
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index e0f1c94..1e78314 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -20,6 +20,9 @@ jobs:
       run:
         shell: bash
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1.0.0
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - uses: actions/checkout@v3.5.3
       - name: setting up python ${{ matrix.python-version }}
         uses: actions/setup-python@v4.6.1