From 829b8912cdd29a54e0d1a7521e1be7dbf2edc168 Mon Sep 17 00:00:00 2001 From: Joyce Brum Date: Fri, 3 Mar 2023 21:34:25 -0800 Subject: [PATCH] feat: harden permissions for all github workflows Signed-off-by: Joyce Brum Reviewed By: tstellar Differential Revision: https://reviews.llvm.org/D144119 --- .github/workflows/clang-tests.yml | 3 +++ .github/workflows/closed-issues.yml | 6 ++++++ .github/workflows/issue-release-workflow.yml | 3 +++ .github/workflows/issue-subscriber.yml | 3 +++ .github/workflows/libclang-abi-tests.yml | 3 +++ .github/workflows/libclc-tests.yml | 3 +++ .github/workflows/lld-tests.yml | 3 +++ .github/workflows/lldb-tests.yml | 3 +++ .github/workflows/llvm-bugs.yml | 4 ++++ .github/workflows/llvm-project-tests.yml | 3 +++ .github/workflows/llvm-tests.yml | 3 +++ .github/workflows/new-issues.yml | 6 ++++++ .github/workflows/release-tasks.yml | 5 +++++ .github/workflows/version-check.yml | 3 +++ 14 files changed, 51 insertions(+) diff --git a/.github/workflows/clang-tests.yml b/.github/workflows/clang-tests.yml index fb2d04b3b30c..1c85aad64f22 100644 --- a/.github/workflows/clang-tests.yml +++ b/.github/workflows/clang-tests.yml @@ -1,5 +1,8 @@ name: Clang Tests +permissions: + contents: read + on: workflow_dispatch: push: diff --git a/.github/workflows/closed-issues.yml b/.github/workflows/closed-issues.yml index 921bbcf786bf..6fa3038cb054 100644 --- a/.github/workflows/closed-issues.yml +++ b/.github/workflows/closed-issues.yml @@ -3,8 +3,14 @@ on: issues: types: ['closed'] +permissions: + contents: read + jobs: automate-issues-labels: + permissions: + issues: write # for andymckay/labeler to label issues + pull-requests: write # for andymckay/labeler to label PRs runs-on: ubuntu-latest if: github.repository == 'llvm/llvm-project' steps: diff --git a/.github/workflows/issue-release-workflow.yml b/.github/workflows/issue-release-workflow.yml index 1662be9ed915..b30782d472a1 100644 --- a/.github/workflows/issue-release-workflow.yml +++ b/.github/workflows/issue-release-workflow.yml @@ -14,6 +14,9 @@ name: Issue Release Workflow +permissions: + contents: read + on: issue_comment: types: diff --git a/.github/workflows/issue-subscriber.yml b/.github/workflows/issue-subscriber.yml index a243c7526814..9083ebb10480 100644 --- a/.github/workflows/issue-subscriber.yml +++ b/.github/workflows/issue-subscriber.yml @@ -5,6 +5,9 @@ on: types: - labeled +permissions: + contents: read + jobs: auto-subscribe: runs-on: ubuntu-latest diff --git a/.github/workflows/libclang-abi-tests.yml b/.github/workflows/libclang-abi-tests.yml index 5e8f62ba1330..41896d439288 100644 --- a/.github/workflows/libclang-abi-tests.yml +++ b/.github/workflows/libclang-abi-tests.yml @@ -1,5 +1,8 @@ name: libclang ABI Tests +permissions: + contents: read + on: workflow_dispatch: push: diff --git a/.github/workflows/libclc-tests.yml b/.github/workflows/libclc-tests.yml index f4d11e253501..1a29d3284f4f 100644 --- a/.github/workflows/libclc-tests.yml +++ b/.github/workflows/libclc-tests.yml @@ -1,5 +1,8 @@ name: libclc Tests +permissions: + contents: read + on: workflow_dispatch: push: diff --git a/.github/workflows/lld-tests.yml b/.github/workflows/lld-tests.yml index b071affb6725..e806c77df287 100644 --- a/.github/workflows/lld-tests.yml +++ b/.github/workflows/lld-tests.yml @@ -1,5 +1,8 @@ name: LLD Tests +permissions: + contents: read + on: workflow_dispatch: push: diff --git a/.github/workflows/lldb-tests.yml b/.github/workflows/lldb-tests.yml index c62c4a79e61a..4d96fa501b86 100644 --- a/.github/workflows/lldb-tests.yml +++ b/.github/workflows/lldb-tests.yml @@ -1,5 +1,8 @@ name: lldb Tests +permissions: + contents: read + on: workflow_dispatch: push: diff --git a/.github/workflows/llvm-bugs.yml b/.github/workflows/llvm-bugs.yml index efb47f55dda8..bfa0c9af946d 100644 --- a/.github/workflows/llvm-bugs.yml +++ b/.github/workflows/llvm-bugs.yml @@ -1,5 +1,9 @@ name: LLVM Bugs notifier +permissions: + contents: read + issues: read + on: issues: types: diff --git a/.github/workflows/llvm-project-tests.yml b/.github/workflows/llvm-project-tests.yml index abc9e014f054..671997cd4e14 100644 --- a/.github/workflows/llvm-project-tests.yml +++ b/.github/workflows/llvm-project-tests.yml @@ -1,5 +1,8 @@ name: LLVM Project Tests +permissions: + contents: read + on: workflow_dispatch: inputs: diff --git a/.github/workflows/llvm-tests.yml b/.github/workflows/llvm-tests.yml index f0b3a2abc899..b59607647c8f 100644 --- a/.github/workflows/llvm-tests.yml +++ b/.github/workflows/llvm-tests.yml @@ -1,5 +1,8 @@ name: LLVM Tests +permissions: + contents: read + on: workflow_dispatch: push: diff --git a/.github/workflows/new-issues.yml b/.github/workflows/new-issues.yml index 97dfc54a7b13..cd5fa1d58347 100644 --- a/.github/workflows/new-issues.yml +++ b/.github/workflows/new-issues.yml @@ -3,8 +3,14 @@ on: issues: types: ['opened'] +permissions: + contents: read + jobs: automate-issues-labels: + permissions: + issues: write # for andymckay/labeler to label issues + pull-requests: write # for andymckay/labeler to label PRs runs-on: ubuntu-latest if: github.repository == 'llvm/llvm-project' steps: diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml index b721e14a251c..1d16e58a2c91 100644 --- a/.github/workflows/release-tasks.yml +++ b/.github/workflows/release-tasks.yml @@ -1,5 +1,8 @@ name: Release Task +permissions: + contents: read + on: push: tags: @@ -8,6 +11,8 @@ on: jobs: release-tasks: + permissions: + contents: write # To upload assets to release. runs-on: ubuntu-latest if: github.repository == 'llvm/llvm-project' steps: diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml index 4b6f33a7c812..86d43a9c7924 100644 --- a/.github/workflows/version-check.yml +++ b/.github/workflows/version-check.yml @@ -8,6 +8,9 @@ on: branches: - 'release/**' +permissions: + contents: read + jobs: version_check: if: github.repository_owner == 'llvm'