From f4a7ba967e739239173bc2440b4e1c6ba3cf41f0 Mon Sep 17 00:00:00 2001
From: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Date: Thu, 24 Mar 2022 11:32:57 -0500
Subject: [PATCH] Set permissions for GitHub actions (#7984)
This limits the damage that a compromised GitHub action could do.
See https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
---
.github/workflows/commit-validation.yml | 3 +++
.github/workflows/format-validation.yml | 3 +++
.github/workflows/lint.yml.bkp | 3 +++
.github/workflows/release-candidate.yml | 3 +++
4 files changed, 12 insertions(+)
diff --git a/.github/workflows/commit-validation.yml b/.github/workflows/commit-validation.yml
index 0b52e94e5..1c785d6f8 100644
--- a/.github/workflows/commit-validation.yml
+++ b/.github/workflows/commit-validation.yml
@@ -1,6 +1,9 @@
name: commit-validation
on: [ push, pull_request ]
+permissions:
+ contents: read
+
jobs:
check-commit-msg-length:
runs-on: ubuntu-latest
diff --git a/.github/workflows/format-validation.yml b/.github/workflows/format-validation.yml
index a0a5b34b7..f75e35db8 100644
--- a/.github/workflows/format-validation.yml
+++ b/.github/workflows/format-validation.yml
@@ -26,6 +26,9 @@ on:
- 'test/tables/planets.jats_archiving'
- 'test/tables/students.jats_archiving'
+permissions:
+ contents: read
+
jobs:
jats:
name: JATS
diff --git a/.github/workflows/lint.yml.bkp b/.github/workflows/lint.yml.bkp
index 13f4919da..890f55636 100644
--- a/.github/workflows/lint.yml.bkp
+++ b/.github/workflows/lint.yml.bkp
@@ -14,6 +14,9 @@ on:
- stack.yaml
- .travis.yml
+permissions:
+ contents: read
+
jobs:
lint:
name: Lint
diff --git a/.github/workflows/release-candidate.yml b/.github/workflows/release-candidate.yml
index 84b2e8565..7259e6215 100644
--- a/.github/workflows/release-candidate.yml
+++ b/.github/workflows/release-candidate.yml
@@ -5,6 +5,9 @@ on:
branches:
- 'rc/**'
+permissions:
+ contents: read
+
jobs:
linux: