Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b5ce39b5 authored by nathannaveen's avatar nathannaveen Committed by Alexandre FLAMENT
Browse files

chore: Set permissions for GitHub actions (#3225) 

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

)

Signed-off-by: default avatarnathannaveen <42319948+nathannaveen@users.noreply.github.com>
parent 7101c5ec

.github/workflows/integration.yml

+7 −0
Original line number Diff line number Diff line
@@ -6,6 +6,9 @@ on: 
  pull_request:

    branches: ["master"]



permissions:

  contents: read



jobs:

  python:

    name: Python ${{ matrix.python-version }}
@@ -81,6 +84,8 @@ jobs: 
  documentation:

    name: Documentation

    runs-on: ubuntu-20.04

    permissions:

      contents: write  # for JamesIves/github-pages-deploy-action to push changes in repo

    steps:

    - name: Checkout

      uses: actions/checkout@v2
@@ -125,6 +130,8 @@ jobs: 
      - python

      - themes

      - documentation

    permissions:

      contents: write  # for make V=1 weblate.push.translations

    steps:

    - name: Checkout

      uses: actions/checkout@v2