Added minimum permissions to workflows (#1517)

Signed-off-by: Eddie Knight <iv.eddieknight@gmail.com>
2022-10-07 04:27:25 -05:00 · 2022-10-07 04:27:25 -05:00 · c041c74464
parent 5963c0befe
commit c041c74464
4 changed files with 22 additions and 0 deletions
--- a/.github/workflows/lint-and-test.yml
+++ b/.github/workflows/lint-and-test.yml
@ -1,6 +1,10 @@
 ## Reference: https://github.com/helm/chart-testing-action
 name: Linting and Testing
 on: pull_request
+
+permissions:
+  contents: read
+
 jobs:
  chart-test:
    runs-on: ubuntu-latest
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@ -8,8 +8,14 @@ on:
      - edited
      - synchronize

+permissions:
+  contents: read
+
 jobs:
  main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
    name: Validate PR title
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -5,8 +5,13 @@ on:
    branches:
      - main

+permissions:
+  contents: read
+
 jobs:
  publish:
+    permissions:
+      contents: write  # for helm/chart-releaser-action to push chart release and create a release
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -3,8 +3,15 @@ name: Mark stale issues and pull requests
 on:
  schedule:
  - cron: "30 1 * * *"
+
+permissions:
+  contents: read
+
 jobs:
  stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
    runs-on: ubuntu-latest
    steps:
    - uses: actions/stale@v5