diff options
| author | Alex <aleksandrosansan@gmail.com> | 2022-11-21 14:25:29 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-21 14:25:29 +0200 |
| commit | e3e223bbd9ac49c8f17d0eec518caa55c55cc92e (patch) | |
| tree | 88f10f0de2b33d3bf26d9172e2d3457b1f4137a8 | |
| parent | e425674d84a63762f16d5b44b19aa70119fcd814 (diff) | |
| download | redis-py-e3e223bbd9ac49c8f17d0eec518caa55c55cc92e.tar.gz | |
GitHub Workflows security hardening (#2444)
* build: harden pypi-publish.yaml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>
* build: harden stale-issues.yml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>
* build: harden release-drafter.yml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>
* build: harden integration.yaml permissions
Signed-off-by: Alex <aleksandrosansan@gmail.com>
Signed-off-by: Alex <aleksandrosansan@gmail.com>
Co-authored-by: Chayim <chayim@users.noreply.github.com>
| -rw-r--r-- | .github/workflows/integration.yaml | 3 | ||||
| -rw-r--r-- | .github/workflows/pypi-publish.yaml | 3 | ||||
| -rw-r--r-- | .github/workflows/release-drafter.yml | 5 | ||||
| -rw-r--r-- | .github/workflows/stale-issues.yml | 5 |
4 files changed, 16 insertions, 0 deletions
diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index c2b84a6..8d38cd4 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -16,6 +16,9 @@ on: schedule: - cron: '0 1 * * *' # nightly build +permissions: + contents: read # to fetch code (actions/checkout) + jobs: dependency-audit: diff --git a/.github/workflows/pypi-publish.yaml b/.github/workflows/pypi-publish.yaml index 3e7f801..50332c1 100644 --- a/.github/workflows/pypi-publish.yaml +++ b/.github/workflows/pypi-publish.yaml @@ -4,6 +4,9 @@ on: release: types: [published] +permissions: + contents: read # to fetch code (actions/checkout) + jobs: build_and_package: diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index ec2d88b..eebb3e6 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -6,8 +6,13 @@ on: branches: - master +permissions: {} jobs: update_release_draft: + permissions: + pull-requests: write # to add label to PR (release-drafter/release-drafter) + contents: write # to create a github release (release-drafter/release-drafter) + runs-on: ubuntu-latest steps: # Drafts your next Release notes as Pull Requests are merged into "master" diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml index 562cd58..32fd9e8 100644 --- a/.github/workflows/stale-issues.yml +++ b/.github/workflows/stale-issues.yml @@ -3,8 +3,13 @@ on: schedule: - cron: "0 0 * * *" +permissions: {} jobs: stale: + permissions: + issues: write # to close stale issues (actions/stale) + pull-requests: write # to close stale PRs (actions/stale) + runs-on: ubuntu-latest steps: - uses: actions/stale@v3 |