[actions] improve default action permissions

2025-05-10 14:21:50 +00:00 · 2024-06-10 08:59:48 -07:00 · 2024-06-10 08:59:48 -07:00 · c20db2ab86
commit c20db2ab86
parent 29dce5edfd
9 changed files with 29 additions and 16 deletions
--- a/.github/workflows/latest-npm.yml
+++ b/.github/workflows/latest-npm.yml
@ -2,6 +2,9 @@ name: 'Tests: `nvm install-latest-npm`'

 on: [pull_request, push]

+permissions:
+  contents: read
+
 jobs:
  matrix:
    runs-on: ubuntu-latest
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -2,10 +2,11 @@ name: 'Tests: linting'

 on: [pull_request, push]

+permissions:
+  contents: read
+
 jobs:
  eclint:
-    permissions:
-      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/harden-runner@v2
@ -23,8 +24,6 @@ jobs:
      - run: npm run eclint

  dockerfile_lint:
-    permissions:
-      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/harden-runner@v2
@ -44,8 +43,6 @@ jobs:
      - run: npm run dockerfile_lint

  doctoc:
-    permissions:
-      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/harden-runner@v2
@ -63,8 +60,6 @@ jobs:
      - run: npm run doctoc:check

  test_naming:
-    permissions:
-      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/harden-runner@v2
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@ -2,6 +2,9 @@ name: Automatic Rebase

 on: [pull_request_target]

+permissions:
+  contents: read
+
 jobs:
  _:
    permissions:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -2,10 +2,11 @@ name: 'Tests: release process'

 on: [pull_request, push]

+permissions:
+  contents: read
+
 jobs:
  release:
-    permissions:
-      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
--- a/.github/workflows/require-allow-edits.yml
+++ b/.github/workflows/require-allow-edits.yml
@ -2,6 +2,9 @@ name: Require “Allow Edits”

 on: [pull_request_target]

+permissions:
+  contents: read
+
 jobs:
  _:
    permissions:
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@ -2,10 +2,11 @@ name: 'Tests: shellcheck'

 on: [pull_request, push]

+permissions:
+  contents: read
+
 jobs:
  shellcheck_matrix:
-    permissions:
-      contents: read
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
@ -52,8 +53,4 @@ jobs:
      needs: [shellcheck_matrix]
      runs-on: ubuntu-latest
      steps:
-        - name: Harden Runner
-          uses: step-security/harden-runner@v2
-          with:
-            egress-policy: block
        - run: true
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -2,6 +2,9 @@ name: urchin tests

 on: [push]

+permissions:
+  contents: read
+
 jobs:
  tests:
    permissions:
@ -49,6 +52,8 @@ jobs:
      - run: make TERM=xterm-256color TEST_SUITE="${{ matrix.suite }}" SHELL="${{ matrix.shell }}" URCHIN="$(npx which urchin)" test-${{ matrix.shell }}

  nvm:
+    permissions:
+      contents: none
    name: 'all test suites, all shells'
    needs: [tests]
    runs-on: ubuntu-latest
--- a/.github/workflows/toc.yml
+++ b/.github/workflows/toc.yml
@ -2,6 +2,9 @@ name: update readme TOC

 on: [push]

+permissions:
+  contents: read
+
 jobs:
  _:
    permissions:
--- a/.github/workflows/windows-npm.yml
+++ b/.github/workflows/windows-npm.yml
@ -2,6 +2,9 @@ name: 'Tests on Windows: `nvm install`'

 on: [pull_request, push]

+permissions:
+  contents: read
+
 env:
  NVM_INSTALL_GITHUB_REPO: ${{ github.repository }}
  NVM_INSTALL_VERSION: ${{ github.sha }}