Restrict workflow permissions

youtube · Dec 12, 2022 · bcb632a · bcb632a
1 parent 16dca32
commit bcb632a
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 8 deletions.
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -10,6 +10,8 @@ concurrency:
   group: '${{ github.workflow }}-${{ inputs.platform }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.sha }}'
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   lint:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/main_win.yaml b/.github/workflows/main_win.yaml
@@ -83,6 +83,7 @@ jobs:
   # Build windows docker images.
   build-docker-image:
     needs: [initialize]
+    permissions: {}
     runs-on: windows-2019
     steps:
       - name: Checkout files

diff --git a/.github/workflows/nightly_trigger.yaml b/.github/workflows/nightly_trigger.yaml
@@ -7,7 +7,8 @@ on:
 
 jobs:
   trigger_23:
-    permissions: write-all
+    permissions:
+      actions: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -22,11 +23,12 @@ jobs:
           gh workflow run evergreen_23.lts.1+ --ref 23.lts.1+ -f nightly=true
           gh workflow run linux_23.lts.1+ --ref 23.lts.1+ -f nightly=true
           gh workflow run raspi-2_23.lts.1+ --ref 23.lts.1+ -f nightly=true
-          gh workflow run win32_23.lts.1+ --ref 23.lts.1+ -f nightly=true 
+          gh workflow run win32_23.lts.1+ --ref 23.lts.1+ -f nightly=true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   trigger_22:
-    permissions: write-all
+    permissions:
+      actions: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -44,7 +46,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   trigger_21:
-    permissions: write-all
+    permissions:
+      actions: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -61,7 +64,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   trigger_20:
-    permissions: write-all
+    permissions:
+      actions: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -77,7 +81,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   trigger_19:
-    permissions: write-all
+    permissions:
+      actions: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

diff --git a/.github/workflows/win32.yaml b/.github/workflows/win32.yaml
@@ -19,8 +19,7 @@ on:
 jobs:
   win32:
     uses: ./.github/workflows/main_win.yaml
-    permissions:
-      packages: write
+    permissions: {}
     with:
       platform: win32
       nightly: ${{ github.event.inputs.nightly }}