From badf33c54457ea4b01125add6008fc7289457390 Mon Sep 17 00:00:00 2001 From: winlin Date: Tue, 10 Jan 2023 21:55:06 +0800 Subject: [PATCH] Scorecard: Delcare default permissions as read only except CodeQL. --- .github/workflows/codeql-analysis.yml | 3 +++ .github/workflows/release.yml | 3 +++ .github/workflows/scorecard.yml | 15 ++++++++------- .github/workflows/test.yml | 3 +++ 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 69796f15e2..1aa6f66d6f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -3,6 +3,9 @@ name: "CodeQL" # @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags on: [push, pull_request] +# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: write-all + jobs: analyze: name: actions-codeql-analyze diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c8af7fca29..8830563336 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,9 @@ on: tags: - v6* +# Declare default permissions as read only. +permissions: read-all + jobs: envs: name: envs diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index eb36f731f5..faa79f68fe 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -2,7 +2,8 @@ # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. -name: Scorecard supply-chain security +name: Scorecard + on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection @@ -58,12 +59,12 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - - name: "Upload artifact" - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 - with: - name: SARIF file - path: results.sarif - retention-days: 5 + #- name: "Upload artifact" + # uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + # with: + # name: SARIF file + # path: results.sarif + # retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5ca048ece6..ff895ee7a2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -3,6 +3,9 @@ name: "Test" # @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags on: [push, pull_request] +# Declare default permissions as read only. +permissions: read-all + # The dependency graph: # test(6m) # multiple-arch-armv7(13m)