From c87645bcb23177dc99e283b63a717bb9cd8043fc Mon Sep 17 00:00:00 2001 From: Constantin Graf Date: Thu, 22 May 2025 10:57:57 +0200 Subject: [PATCH] Add permissions to all GitHub actions --- .github/workflows/build-private.yml | 3 +++ .github/workflows/build-public.yml | 16 ++++++---------- .github/workflows/generate-api-docs.yml | 3 +++ .github/workflows/npm-build.yml | 2 ++ .github/workflows/npm-lint.yml | 2 ++ .github/workflows/npm-publish-api.yml | 2 ++ .github/workflows/npm-publish-ui.yml | 2 ++ .github/workflows/npm-typecheck.yml | 3 ++- .github/workflows/phpstan.yml | 2 ++ .github/workflows/phpunit.yml | 2 ++ .github/workflows/pint.yml | 2 ++ .github/workflows/playwright.yml | 2 ++ 12 files changed, 30 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build-private.yml b/.github/workflows/build-private.yml index b385c6af..c335519b 100644 --- a/.github/workflows/build-private.yml +++ b/.github/workflows/build-private.yml @@ -10,6 +10,8 @@ on: - '.github/workflows/build-private.yml' - 'docker/prod/**' workflow_dispatch: +permissions: + contents: read name: Build - Private jobs: @@ -17,6 +19,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 20 + steps: - name: "Check out code" uses: actions/checkout@v4 diff --git a/.github/workflows/build-public.yml b/.github/workflows/build-public.yml index 839d153c..d91d6e51 100644 --- a/.github/workflows/build-public.yml +++ b/.github/workflows/build-public.yml @@ -11,6 +11,12 @@ on: - 'docker/prod/**' workflow_dispatch: +permissions: + packages: write + contents: read + attestations: write + id-token: write + env: DOCKERHUB_REPO: solidtime/solidtime GHCR_REPO: ghcr.io/solidtime-io/solidtime @@ -26,11 +32,6 @@ jobs: - runs-on: "ubuntu-24.04" platform: "linux/amd64" runs-on: ${{ matrix.runs-on }} - permissions: - packages: write - contents: read - attestations: write - id-token: write timeout-minutes: 90 steps: @@ -163,11 +164,6 @@ jobs: merge: runs-on: ubuntu-latest - permissions: - packages: write - contents: read - attestations: write - id-token: write timeout-minutes: 90 needs: - build diff --git a/.github/workflows/generate-api-docs.yml b/.github/workflows/generate-api-docs.yml index 6cc8e1f0..bdb92036 100644 --- a/.github/workflows/generate-api-docs.yml +++ b/.github/workflows/generate-api-docs.yml @@ -3,6 +3,9 @@ on: push: branches: - main +permissions: + contents: read + jobs: api_docs: runs-on: ubuntu-latest diff --git a/.github/workflows/npm-build.yml b/.github/workflows/npm-build.yml index cf8cb58e..6201b91a 100644 --- a/.github/workflows/npm-build.yml +++ b/.github/workflows/npm-build.yml @@ -1,6 +1,8 @@ name: NPM Build on: [push] +permissions: + contents: read jobs: build: diff --git a/.github/workflows/npm-lint.yml b/.github/workflows/npm-lint.yml index 8802b9de..28f4c28a 100644 --- a/.github/workflows/npm-lint.yml +++ b/.github/workflows/npm-lint.yml @@ -1,6 +1,8 @@ name: NPM Lint on: [push] +permissions: + contents: read jobs: build: diff --git a/.github/workflows/npm-publish-api.yml b/.github/workflows/npm-publish-api.yml index 128228c3..a1b9501b 100644 --- a/.github/workflows/npm-publish-api.yml +++ b/.github/workflows/npm-publish-api.yml @@ -1,6 +1,8 @@ name: Publish API package to NPM on: workflow_dispatch +permissions: + contents: read jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/npm-publish-ui.yml b/.github/workflows/npm-publish-ui.yml index 2c5800db..75e851c3 100644 --- a/.github/workflows/npm-publish-ui.yml +++ b/.github/workflows/npm-publish-ui.yml @@ -1,6 +1,8 @@ name: Publish UI package to NPM on: workflow_dispatch +permissions: + contents: read jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/npm-typecheck.yml b/.github/workflows/npm-typecheck.yml index ebc80574..e98a6c7c 100644 --- a/.github/workflows/npm-typecheck.yml +++ b/.github/workflows/npm-typecheck.yml @@ -1,7 +1,8 @@ name: NPM Typecheck on: [push] - +permissions: + contents: read jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/phpstan.yml b/.github/workflows/phpstan.yml index 91e61138..77f8d5cd 100644 --- a/.github/workflows/phpstan.yml +++ b/.github/workflows/phpstan.yml @@ -1,5 +1,7 @@ name: Static code analysis (PHPStan) on: push +permissions: + contents: read jobs: phpstan: runs-on: ubuntu-latest diff --git a/.github/workflows/phpunit.yml b/.github/workflows/phpunit.yml index 2dc92778..567421e8 100644 --- a/.github/workflows/phpunit.yml +++ b/.github/workflows/phpunit.yml @@ -1,5 +1,7 @@ name: PHPUnit Tests on: push +permissions: + contents: read jobs: phpunit: runs-on: ubuntu-latest diff --git a/.github/workflows/pint.yml b/.github/workflows/pint.yml index 32532fe9..cc417c76 100644 --- a/.github/workflows/pint.yml +++ b/.github/workflows/pint.yml @@ -1,5 +1,7 @@ name: PHP Linting on: push +permissions: + contents: read jobs: pint: runs-on: ubuntu-latest diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml index 05d2c256..d0f9b805 100644 --- a/.github/workflows/playwright.yml +++ b/.github/workflows/playwright.yml @@ -1,5 +1,7 @@ name: Playwright Tests on: [push] +permissions: + contents: read jobs: test: runs-on: ubuntu-latest