[actions] improve default action permissions

2025-05-10 14:21:50 +00:00 · 2024-06-10 08:59:48 -07:00 · 2024-06-10 08:59:48 -07:00 · c20db2ab86
commit c20db2ab86
parent 29dce5edfd
9 changed files with 29 additions and 16 deletions
--- a/.github/workflows/latest-npm.yml
+++ b/.github/workflows/latest-npm.yml
@ -2,6 +2,9 @@ name: 'Tests: `nvm install-latest-npm`'
 on: [pull_request, push]
 permissions:
  contents: read
 jobs:
  matrix:
    runs-on: ubuntu-latest
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -2,10 +2,11 @@ name: 'Tests: linting'
 on: [pull_request, push]
 permissions:
  contents: read
 jobs:
  eclint:
    permissions:
      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/harden-runner@v2
@ -23,8 +24,6 @@ jobs:
      - run: npm run eclint
  dockerfile_lint:
    permissions:
      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/harden-runner@v2
@ -44,8 +43,6 @@ jobs:
      - run: npm run dockerfile_lint
  doctoc:
    permissions:
      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/harden-runner@v2
@ -63,8 +60,6 @@ jobs:
      - run: npm run doctoc:check
  test_naming:
    permissions:
      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/harden-runner@v2
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@ -2,6 +2,9 @@ name: Automatic Rebase
 on: [pull_request_target]
 permissions:
  contents: read
 jobs:
  _:
    permissions:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -2,10 +2,11 @@ name: 'Tests: release process'
 on: [pull_request, push]
 permissions:
  contents: read
 jobs:
  release:
    permissions:
      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
--- a/.github/workflows/require-allow-edits.yml
+++ b/.github/workflows/require-allow-edits.yml
@ -2,6 +2,9 @@ name: Require “Allow Edits”
 on: [pull_request_target]
 permissions:
  contents: read
 jobs:
  _:
    permissions:
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@ -2,10 +2,11 @@ name: 'Tests: shellcheck'
 on: [pull_request, push]
 permissions:
  contents: read
 jobs:
  shellcheck_matrix:
    permissions:
      contents: read
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
@ -52,8 +53,4 @@ jobs:
      needs: [shellcheck_matrix]
      runs-on: ubuntu-latest
      steps:
        - name: Harden Runner
          uses: step-security/harden-runner@v2
          with:
            egress-policy: block
        - run: true
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -2,6 +2,9 @@ name: urchin tests
 on: [push]
 permissions:
  contents: read
 jobs:
  tests:
    permissions:
@ -49,6 +52,8 @@ jobs:
      - run: make TERM=xterm-256color TEST_SUITE="${{ matrix.suite }}" SHELL="${{ matrix.shell }}" URCHIN="$(npx which urchin)" test-${{ matrix.shell }}
  nvm:
    permissions:
      contents: none
    name: 'all test suites, all shells'
    needs: [tests]
    runs-on: ubuntu-latest
--- a/.github/workflows/toc.yml
+++ b/.github/workflows/toc.yml
@ -2,6 +2,9 @@ name: update readme TOC
 on: [push]
 permissions:
  contents: read
 jobs:
  _:
    permissions:
--- a/.github/workflows/windows-npm.yml
+++ b/.github/workflows/windows-npm.yml
@ -2,6 +2,9 @@ name: 'Tests on Windows: `nvm install`'
 on: [pull_request, push]
 permissions:
  contents: read
 env:
  NVM_INSTALL_GITHUB_REPO: ${{ github.repository }}
  NVM_INSTALL_VERSION: ${{ github.sha }}