GitHub Workflows security hardening (#31057)

* build: harden pr-auto-fix.yaml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * build: harden pr-auto-tag.yaml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com>
2 years ago · 90beb3f4c4
parent afa3a6c890
commit 90beb3f4c4
2 changed files with 13 additions and 0 deletions
--- a/.github/workflows/pr-auto-fix.yaml
+++ b/.github/workflows/pr-auto-fix.yaml
@ -1,7 +1,13 @@
 name: PR AutoFix
 on: [push]
+permissions: {}
 jobs:
  PRAutoFix:
+    permissions:
+      actions: write # to cancel/stop running workflows (styfle/cancel-workflow-action)
+      contents: write # to create branch (peter-evans/create-pull-request)
+      pull-requests: write # to create a PR (peter-evans/create-pull-request)
+
    runs-on: ubuntu-latest
    steps:
      # Cache bazel build
--- a/.github/workflows/pr-auto-tag.yaml
+++ b/.github/workflows/pr-auto-tag.yaml
@ -2,8 +2,15 @@ name: PR AutoTag
 on:
  pull_request_target:
    types: [opened, reopened, synchronized, edited]
+permissions:
+  contents: read # to determine modified files (actions/labeler)
+
 jobs:
  triage:
+    permissions:
+      contents: read # to determine modified files (actions/labeler)
+      pull-requests: write # to add labels to PRs (actions/labeler)
+
    runs-on: ubuntu-latest
    steps:
    - uses: actions/labeler@v3