Skip to content

Commit

Permalink
Fix top level permissions in workflows
Browse files Browse the repository at this point in the history 
Permissions should be read only by default

Related to hyperledger-labs#174

Signed-off-by: James Taylor <[email protected]>
  • Loading branch information
@jt-nti
jt-nti committed Feb 7, 2025
1 parent 8ff524b commit 46044cb
Show file tree
Hide file tree
Showing 10 changed files with 45 additions and 11 deletions.
15 changes: 10 additions & 5 deletions .github/workflows/docker-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,17 +16,17 @@ on:
required: false
type: string

permissions:
contents: read
packages: write
id-token: write

jobs:
build:
runs-on: ubuntu-latest
outputs:
image_digest: ${{ steps.push.outputs.digest }}

permissions:
contents: read
packages: write
id-token: write

steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
Expand Down Expand Up @@ -66,6 +66,11 @@ jobs:
needs: build
runs-on: ubuntu-latest

permissions:
contents: write
packages: write
id-token: write

steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/go-contract-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,13 @@ on:
paths:
- 'samples/go-contract/**'

permissions: read-all

jobs:
permissions:
contents: write
packages: write
id-token: write
docker_build:
name: Docker build
uses: ./.github/workflows/docker-build.yml
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/go.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ on:
- 'docs/**'
- 'samples/**'

permissions: read-all

jobs:

build:
Expand All @@ -24,6 +26,9 @@ jobs:
os: [ubuntu-latest, macOS-13]
goarch: [amd64, arm64]

permissions:
contents: write

env:
GOARCH: ${{ matrix.goarch }}

Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/golangci-lint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,7 @@ on:
- 'docs/**'
- 'samples/**'

permissions:
contents: read
permissions: read-all

jobs:
golangci:
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/java-contract-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,13 @@ on:
paths:
- 'samples/java-contract/**'

permissions: read-all

jobs:
permissions:
contents: write
packages: write
id-token: write
docker_build:
name: Docker build
uses: ./.github/workflows/docker-build.yml
Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/mkdocs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,7 @@ on:
- 'docs/**'
workflow_dispatch:

permissions:
contents: read
pages: write
id-token: write
permissions: read-all

# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
Expand Down Expand Up @@ -54,6 +51,10 @@ jobs:
# Deployment job
deploy:
if: github.event_name == 'push'
permissions:
contents: read
pages: write
id-token: write
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/node-contract-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,13 @@ on:
paths:
- 'samples/node-contract/**'

permissions: read-all

jobs:
permissions:
contents: write
packages: write
id-token: write
docker_build:
name: Docker build
uses: ./.github/workflows/docker-build.yml
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/peer-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ on:
- 'docs/**'
- 'samples/**'

permissions: read-all

jobs:
docker_build:
name: Docker build
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/status-checks-docker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ name: Skip docker status checks
on:
workflow_call:

permissions: read-all

jobs:
build:
runs-on: ubuntu-latest
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/status-checks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ on:
- 'docs/**'
- 'samples/**'

permissions: read-all

jobs:
lint:
runs-on: ubuntu-latest
Expand Down

0 comments on commit 46044cb

Please sign in to comment.