GitHub Workflows security hardening (apache#4467)

* build: harden frontend.yml permissions Signed-off-by: Alex <[email protected]> * build: harden core.yml permissions Signed-off-by: Alex <[email protected]>
proceane · Feb 16, 2023 · 47008de · 47008de
1 parent f685271
commit 47008de
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/.github/workflows/core.yml b/.github/workflows/core.yml
@@ -25,6 +25,9 @@ defaults:
   run:
     shell: bash -l {0}
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   # test on core-modules (zeppelin-interpreter,zeppelin-zengine,zeppelin-server),
   # some interpreters are included, because zeppelin-server test depends on them: spark, shell & markdown

diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
@@ -21,6 +21,9 @@ env:
   ZEPPELIN_LOCAL_IP: 127.0.0.1
   INTERPRETERS: '!hbase,!jdbc,!file,!flink,!cassandra,!elasticsearch,!bigquery,!alluxio,!livy,!groovy,!java,!neo4j,!submarine,!sparql,!mongodb'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   run-e2e-tests-in-zeppelin-web:
     runs-on: ubuntu-20.04