Set least privileged token permission for GitHub Actions (#3155)

Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
2 years ago · da51adc276
parent e5af37bc8c
commit da51adc276
3 changed files with 12 additions and 0 deletions
--- a/.github/workflows/build-and-push-image.yml
+++ b/.github/workflows/build-and-push-image.yml
@ -9,6 +9,9 @@ on:
        description: 'Image tag'
        required: true
        default: 'test'
+permissions:
+  contents: read
+
 jobs:
  image:
    name: Build Image from Dockerfile and binaries
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@ -3,6 +3,9 @@ name: goreleaser
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  goreleaser:
    runs-on: ubuntu-latest
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -8,8 +8,14 @@ on:
        description: 'In debug mod'
        required: false
        default: 'false'
+permissions:
+  contents: read
+
 jobs:
  stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
    runs-on: ubuntu-latest
    steps:
    - uses: actions/stale@v6