From 6a5a811bd01cc60076b5e3a94f1b3a0d1352084e Mon Sep 17 00:00:00 2001 From: Eden Zimbelman Date: Fri, 13 Dec 2024 13:55:51 -0800 Subject: [PATCH] ci: reduce the permissions for github actions jobs (#375) --- .github/workflows/develop.yml | 2 ++ .github/workflows/publish.yml | 3 +++ .github/workflows/test.yml | 5 ++++- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/develop.yml b/.github/workflows/develop.yml index ad36f682..97dda648 100644 --- a/.github/workflows/develop.yml +++ b/.github/workflows/develop.yml @@ -11,6 +11,8 @@ jobs: steps: - name: Checkout action uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup the Node runtime for this project uses: actions/setup-node@v4 with: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 212e1aad..f3d012ca 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -8,10 +8,13 @@ jobs: build: name: Build and tag a new version runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout the current code uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ github.event.release.tag_name }} - name: Configure the runtime node diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c957132c..90238826 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,10 +11,13 @@ jobs: name: Run tests runs-on: ubuntu-latest environment: staging + permissions: + checks: write steps: - name: "build: checkout the latest changes" uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} - name: "build: setup the node runtime" @@ -226,7 +229,7 @@ jobs: - name: "chore(health): check up on recent changes to the health score" uses: slackapi/slack-health-score@v0.1.1 with: - codecov_token: ${{ secrets.CODECOV_TOKEN }} + codecov_token: ${{ secrets.CODECOV_API_TOKEN }} github_token: ${{ secrets.GITHUB_TOKEN }} extension: js include: src