From 5220da996e3e2fd8e00833ac52d97f4e0ea71ae6 Mon Sep 17 00:00:00 2001 From: Kelly Sovacool Date: Tue, 8 Apr 2025 10:19:32 -0400 Subject: [PATCH] chore(ci): address codeql alerts explicitly set permissions for gha workflows --- .github/workflows/auto_add_reponame_labels.yml | 4 +++- .github/workflows/autoassig_milestone_to_issue.yml | 5 +++++ .github/workflows/docs-mkdocs.yml | 4 +++- .github/workflows/draft-release.yml | 3 ++- .github/workflows/post-release.yml | 3 ++- .github/workflows/techdev-project.yml | 4 +++- .github/workflows/user-projects.yml | 4 +++- 7 files changed, 21 insertions(+), 6 deletions(-) diff --git a/.github/workflows/auto_add_reponame_labels.yml b/.github/workflows/auto_add_reponame_labels.yml index 4d5c25e..658d105 100644 --- a/.github/workflows/auto_add_reponame_labels.yml +++ b/.github/workflows/auto_add_reponame_labels.yml @@ -7,7 +7,9 @@ on: pull_request: types: - opened - +permissions: + issues: write + pull-requests: write jobs: add_label: uses: CCBR/.github/.github/workflows/add_reponame_issue_label.yml@v0.2.0 diff --git a/.github/workflows/autoassig_milestone_to_issue.yml b/.github/workflows/autoassig_milestone_to_issue.yml index 224ffed..0336720 100644 --- a/.github/workflows/autoassig_milestone_to_issue.yml +++ b/.github/workflows/autoassig_milestone_to_issue.yml @@ -4,6 +4,11 @@ on: types: [assigned, opened, reopened] pull_request: types: [assigned, opened, reopened] + +permissions: + issues: write + pull-requests: write + jobs: milestone: runs-on: ubuntu-latest diff --git a/.github/workflows/docs-mkdocs.yml b/.github/workflows/docs-mkdocs.yml index 89b719b..0a078c0 100644 --- a/.github/workflows/docs-mkdocs.yml +++ b/.github/workflows/docs-mkdocs.yml @@ -12,7 +12,9 @@ on: - "**.md" - .github/workflows/docs-mkdocs.yml - mkdocs.yml - +permissions: + contents: write + pages: write jobs: mkdocs: runs-on: ubuntu-latest diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index d643f5c..9f7e474 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -11,7 +11,8 @@ on: required: false type: string default: "" - +permissions: + contents: write jobs: draft-release: runs-on: ubuntu-latest diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml index e0e21eb..7718f1c 100644 --- a/.github/workflows/post-release.yml +++ b/.github/workflows/post-release.yml @@ -4,7 +4,8 @@ on: release: types: - published - +permissions: + contents: write jobs: cleanup: runs-on: ubuntu-latest diff --git a/.github/workflows/techdev-project.yml b/.github/workflows/techdev-project.yml index e33449f..7786b7a 100644 --- a/.github/workflows/techdev-project.yml +++ b/.github/workflows/techdev-project.yml @@ -7,7 +7,9 @@ on: pull_request: types: - opened - +permissions: + issues: read + pull-requests: read jobs: add-to-project: runs-on: ubuntu-latest diff --git a/.github/workflows/user-projects.yml b/.github/workflows/user-projects.yml index abcb542..0ff4b66 100644 --- a/.github/workflows/user-projects.yml +++ b/.github/workflows/user-projects.yml @@ -7,7 +7,9 @@ on: pull_request: types: - assigned - +permissions: + issues: read + pull-requests: write jobs: add-to-project: uses: CCBR/.github/.github/workflows/auto-add-user-project.yml@v0.1.0