Harden workflows by defining only strictly needed permissions for all of them (#174)

* Define only needed write permissions
This commit is contained in:
Lorenzooone 2022-07-05 15:38:23 +02:00 committed by GitHub
parent 64c1d925a3
commit 7c9408ec44
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 27 additions and 5 deletions

View File

@ -1,10 +1,13 @@
name: Build
on:
# Trigger the workflow on push or pull request,
# Trigger the workflow on push,
# but only for the master branch
push:
branches:
- master
permissions: read-all
jobs:
build:
name: Patch building
@ -23,6 +26,8 @@ jobs:
name: Patch publishing
runs-on: ubuntu-latest
needs: build
permissions:
contents: write
steps:
- name: Download a single artifact
uses: actions/download-artifact@v3

View File

@ -3,6 +3,8 @@ on:
pull_request:
branches: master
permissions: read-all
jobs:
build:
name: Patch building

View File

@ -1,10 +1,13 @@
name: Test
on:
# Trigger the workflow on push or pull request,
# Trigger the workflow on push,
# but only for the master branch
push:
branches:
- master
permissions: read-all
jobs:
test:
name: Testing
@ -26,12 +29,24 @@ jobs:
with:
name: test-report
path: out/test.log
- name: Create Issue for Test failure
if: failure()
issue_creation:
name: Create issue on failure
runs-on: ubuntu-latest
permissions:
issues: write
needs: test
if: failure()
steps:
- name: Download a single artifact
uses: actions/download-artifact@v3
with:
name: test-report
- name: Create the issue
uses: peter-evans/create-issue-from-file@v4
with:
title: Test failure
content-filepath: out/test.log
content-filepath: test.log
labels: |
report
automated issue