Skip to content

Commit 8b02e33

Browse files
trop[bot]MarshallOfSound
trop[bot]
and
MarshallOfSound
authored
build: limit workflow gh token permissions (#48969)
* build: limit workflow gh token permissions Co-authored-by: Samuel Attard <[email protected]> * feedback Co-authored-by: Samuel Attard <[email protected]> --------- Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com> Co-authored-by: Samuel Attard <[email protected]> Co-authored-by: Samuel Attard <[email protected]>
1 parent eecca2c commit 8b02e33

23 files changed

+133
-17
lines changed

.github/workflows/archaeologist-dig.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,14 @@ name: Archaeologist
33
on:
44
pull_request:
55

6+
permissions: {}
7+
68
jobs:
79
archaeologist-dig:
810
name: Archaeologist Dig
911
runs-on: ubuntu-latest
12+
permissions:
13+
contents: read
1014
steps:
1115
- name: Checkout Electron
1216
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.0.2

.github/workflows/build-git-cache.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,13 @@ on:
66
schedule:
77
- cron: "0 0 * * *"
88

9+
permissions: {}
10+
911
jobs:
1012
build-git-cache-linux:
1113
runs-on: electron-arc-centralus-linux-amd64-32core
14+
permissions:
15+
contents: read
1216
container:
1317
image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
1418
options: --user root
@@ -30,6 +34,8 @@ jobs:
3034

3135
build-git-cache-windows:
3236
runs-on: electron-arc-centralus-linux-amd64-32core
37+
permissions:
38+
contents: read
3339
container:
3440
image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
3541
options: --user root --device /dev/fuse --cap-add SYS_ADMIN
@@ -52,6 +58,8 @@ jobs:
5258

5359
build-git-cache-macos:
5460
runs-on: electron-arc-centralus-linux-amd64-32core
61+
permissions:
62+
contents: read
5563
# This job updates the same git cache as linux, so it needs to run after the linux one.
5664
needs: build-git-cache-linux
5765
container:

.github/workflows/build.yml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,10 +43,13 @@ defaults:
4343
run:
4444
shell: bash
4545

46+
permissions: {}
47+
4648
jobs:
4749
setup:
4850
runs-on: ubuntu-latest
4951
permissions:
52+
contents: read
5053
pull-requests: read
5154
outputs:
5255
docs: ${{ steps.filter.outputs.docs }}
@@ -84,6 +87,8 @@ jobs:
8487
needs: setup
8588
if: ${{ !inputs.skip-lint }}
8689
uses: ./.github/workflows/pipeline-electron-lint.yml
90+
permissions:
91+
contents: read
8792
with:
8893
container: '{"image":"ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}","options":"--user root"}'
8994
secrets: inherit
@@ -93,6 +98,8 @@ jobs:
9398
needs: [setup, checkout-linux]
9499
if: ${{ needs.setup.outputs.docs-only == 'true' }}
95100
uses: ./.github/workflows/pipeline-electron-docs-only.yml
101+
permissions:
102+
contents: read
96103
with:
97104
container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
98105
secrets: inherit
@@ -102,6 +109,8 @@ jobs:
102109
needs: setup
103110
if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-macos}}
104111
runs-on: electron-arc-centralus-linux-amd64-32core
112+
permissions:
113+
contents: read
105114
container:
106115
image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
107116
options: --user root
@@ -130,6 +139,8 @@ jobs:
130139
needs: setup
131140
if: ${{ !inputs.skip-linux}}
132141
runs-on: electron-arc-centralus-linux-amd64-32core
142+
permissions:
143+
contents: read
133144
container:
134145
image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
135146
options: --user root
@@ -159,6 +170,8 @@ jobs:
159170
needs: setup
160171
if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }}
161172
runs-on: electron-arc-centralus-linux-amd64-32core
173+
permissions:
174+
contents: read
162175
container:
163176
image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}
164177
options: --user root --device /dev/fuse --cap-add SYS_ADMIN
@@ -189,6 +202,8 @@ jobs:
189202
# GN Check Jobs
190203
macos-gn-check:
191204
uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
205+
permissions:
206+
contents: read
192207
needs: checkout-macos
193208
with:
194209
target-platform: macos
@@ -199,6 +214,8 @@ jobs:
199214

200215
linux-gn-check:
201216
uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
217+
permissions:
218+
contents: read
202219
needs: checkout-linux
203220
if: ${{ needs.setup.outputs.src == 'true' }}
204221
with:
@@ -211,6 +228,8 @@ jobs:
211228

212229
windows-gn-check:
213230
uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml
231+
permissions:
232+
contents: read
214233
needs: checkout-windows
215234
with:
216235
target-platform: win
@@ -404,6 +423,8 @@ jobs:
404423
gha-done:
405424
name: GitHub Actions Completed
406425
runs-on: ubuntu-latest
426+
permissions:
427+
contents: read
407428
needs: [docs-only, macos-x64, macos-arm64, linux-x64, linux-x64-asan, linux-arm, linux-arm64, windows-x64, windows-x86, windows-arm64]
408429
if: always() && !contains(needs.*.result, 'failure')
409430
steps:

.github/workflows/clean-src-cache.yml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,20 @@
11
name: Clean Source Cache
22

3-
description: |
4-
This workflow cleans up the source cache on the cross-instance cache volume
5-
to free up space. It runs daily at midnight and clears files older than 15 days.
3+
# Description:
4+
# This workflow cleans up the source cache on the cross-instance cache volume
5+
# to free up space. It runs daily at midnight and clears files older than 15 days.
66

77
on:
88
schedule:
99
- cron: "0 0 * * *"
1010

11+
permissions: {}
12+
1113
jobs:
1214
clean-src-cache:
1315
runs-on: electron-arc-centralus-linux-amd64-32core
16+
permissions:
17+
contents: read
1418
container:
1519
image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1
1620
options: --user root

.github/workflows/issue-labeled.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,15 @@ on:
44
issues:
55
types: [labeled]
66

7-
permissions: # added using https://github.com/step-security/secure-workflows
8-
contents: read
7+
permissions: {}
98

109
jobs:
1110
issue-labeled-with-status:
1211
name: status/{confirmed,reviewed} label added
1312
if: github.event.label.name == 'status/confirmed' || github.event.label.name == 'status/reviewed'
1413
runs-on: ubuntu-latest
14+
permissions:
15+
contents: read
1516
steps:
1617
- name: Generate GitHub App token
1718
uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -31,6 +32,8 @@ jobs:
3132
name: blocked/* label added
3233
if: startsWith(github.event.label.name, 'blocked/')
3334
runs-on: ubuntu-latest
35+
permissions:
36+
contents: read
3437
steps:
3538
- name: Generate GitHub App token
3639
uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1

.github/workflows/issue-opened.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ jobs:
1111
add-to-issue-triage:
1212
if: ${{ contains(github.event.issue.labels.*.name, 'bug :beetle:') }}
1313
runs-on: ubuntu-latest
14+
permissions: {}
1415
steps:
1516
- name: Generate GitHub App token
1617
uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
@@ -28,6 +29,7 @@ jobs:
2829
set-labels:
2930
if: ${{ contains(github.event.issue.labels.*.name, 'bug :beetle:') }}
3031
runs-on: ubuntu-latest
32+
permissions: {}
3133
steps:
3234
- name: Generate GitHub App token
3335
uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1

.github/workflows/issue-transferred.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ jobs:
1010
issue-transferred:
1111
name: Issue Transferred
1212
runs-on: ubuntu-latest
13+
permissions: {}
1314
if: ${{ !github.event.changes.new_repository.private }}
1415
steps:
1516
- name: Generate GitHub App token

.github/workflows/issue-unlabeled.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,15 @@ on:
44
issues:
55
types: [unlabeled]
66

7-
permissions:
8-
contents: read
7+
permissions: {}
98

109
jobs:
1110
issue-unlabeled-blocked:
1211
name: All blocked/* labels removed
1312
if: startsWith(github.event.label.name, 'blocked/') && github.event.issue.state == 'open'
1413
runs-on: ubuntu-latest
14+
permissions:
15+
contents: read
1516
steps:
1617
- name: Check for any blocked labels
1718
id: check-for-blocked-labels

.github/workflows/linux-publish.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,13 @@ on:
1717
type: boolean
1818
default: false
1919

20+
permissions: {}
21+
2022
jobs:
2123
checkout-linux:
2224
runs-on: electron-arc-centralus-linux-amd64-32core
25+
permissions:
26+
contents: read
2327
container:
2428
image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
2529
options: --user root
@@ -40,6 +44,8 @@ jobs:
4044

4145
publish-x64:
4246
uses: ./.github/workflows/pipeline-segment-electron-build.yml
47+
permissions:
48+
contents: read
4349
needs: checkout-linux
4450
with:
4551
environment: production-release
@@ -55,6 +61,8 @@ jobs:
5561

5662
publish-arm:
5763
uses: ./.github/workflows/pipeline-segment-electron-build.yml
64+
permissions:
65+
contents: read
5866
needs: checkout-linux
5967
with:
6068
environment: production-release
@@ -70,6 +78,8 @@ jobs:
7078

7179
publish-arm64:
7280
uses: ./.github/workflows/pipeline-segment-electron-build.yml
81+
permissions:
82+
contents: read
7383
needs: checkout-linux
7484
with:
7585
environment: production-release

.github/workflows/macos-publish.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,13 @@ on:
1818
type: boolean
1919
default: false
2020

21+
permissions: {}
22+
2123
jobs:
2224
checkout-macos:
2325
runs-on: electron-arc-centralus-linux-amd64-32core
26+
permissions:
27+
contents: read
2428
container:
2529
image: ghcr.io/electron/build:${{ inputs.build-image-sha }}
2630
options: --user root
@@ -44,6 +48,8 @@ jobs:
4448

4549
publish-x64-darwin:
4650
uses: ./.github/workflows/pipeline-segment-electron-build.yml
51+
permissions:
52+
contents: read
4753
needs: checkout-macos
4854
with:
4955
environment: production-release
@@ -59,6 +65,8 @@ jobs:
5965

6066
publish-x64-mas:
6167
uses: ./.github/workflows/pipeline-segment-electron-build.yml
68+
permissions:
69+
contents: read
6270
needs: checkout-macos
6371
with:
6472
environment: production-release
@@ -74,6 +82,8 @@ jobs:
7482

7583
publish-arm64-darwin:
7684
uses: ./.github/workflows/pipeline-segment-electron-build.yml
85+
permissions:
86+
contents: read
7787
needs: checkout-macos
7888
with:
7989
environment: production-release
@@ -89,6 +99,8 @@ jobs:
8999

90100
publish-arm64-mas:
91101
uses: ./.github/workflows/pipeline-segment-electron-build.yml
102+
permissions:
103+
contents: read
92104
needs: checkout-macos
93105
with:
94106
environment: production-release

0 commit comments

Comments
 (0)