]> git.madduck.net Git - etc/vim.git/commitdiff

madduck's git repository

Every one of the projects in this repository is available at the canonical URL git://git.madduck.net/madduck/pub/<projectpath> — see each project's metadata for the exact URL.

All patches and comments are welcome. Please squash your changes to logical commits before using git-format-patch and git-send-email to patches@git.madduck.net. If you'd read over the Git project's submission guidelines and adhered to them, I'd be especially grateful.

SSH access, as well as push access can be individually arranged.

If you use my repositories frequently, consider adding the following snippet to ~/.gitconfig and using the third clone URL listed for each project:

[url "git://git.madduck.net/madduck/"]
  insteadOf = madduck:

chore: Set permissions for GitHub actions (#3043)
authorNaveen <172697+naveensrinivasan@users.noreply.github.com>
Tue, 3 May 2022 13:08:33 +0000 (08:08 -0500)
committerGitHub <noreply@github.com>
Tue, 3 May 2022 13:08:33 +0000 (07:08 -0600)
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
.github/workflows/changelog.yml
.github/workflows/doc.yml
.github/workflows/docker.yml
.github/workflows/fuzz.yml
.github/workflows/pypi_upload.yml
.github/workflows/upload_binary.yml
.github/workflows/uvloop_test.yml

index 3ffdb0864937be9c67470dced137ed97a440fa7a..b3e1f0b90241c1df5e0b4989d5a606f61741be93 100644 (file)
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [opened, synchronize, labeled, unlabeled, reopened]
 
   pull_request:
     types: [opened, synchronize, labeled, unlabeled, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Changelog Entry Check
 jobs:
   build:
     name: Changelog Entry Check
index 1ad4b3a7605742b5437631696910e768b092056e..e2a0142cc652960c31d6b8905959f4a8f0514e31 100644 (file)
@@ -2,6 +2,9 @@ name: Documentation Build
 
 on: [push, pull_request]
 
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     # We want to run on external PRs, but not on our own internal PRs as they'll be run
 jobs:
   build:
     # We want to run on external PRs, but not on our own internal PRs as they'll be run
index b75ce2bb6f1562e2ebae34c82e0621bb4585d389..0a4848faad8fe395c6bd9d14c18b63ab0b279806 100644 (file)
@@ -7,6 +7,9 @@ on:
   release:
     types: [published]
 
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     if: github.repository == 'psf/black'
 jobs:
   docker:
     if: github.repository == 'psf/black'
index 8fba67a5a014efe65c8c3d758d339ab3f516064a..d796fd50564030576d200c932af36ea5c287c05f 100644 (file)
@@ -2,6 +2,9 @@ name: Fuzz
 
 on: [push, pull_request]
 
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     # We want to run on external PRs, but not on our own internal PRs as they'll be run
 jobs:
   build:
     # We want to run on external PRs, but not on our own internal PRs as they'll be run
index 9d970592d989ae302a8f5ce61f9d4ca166259e9d..ef524a8ece6f6c0d29b4de46b4189e50011036c1 100644 (file)
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: PyPI Upload
 jobs:
   build:
     name: PyPI Upload
index ed8d9fdd572a8ba8afa2766fcdcfb42fa5978537..6bb1d23306b5c3d314e62cb71ab3aac7a77dde4b 100644 (file)
@@ -4,8 +4,13 @@ on:
   release:
     types: [published]
 
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 jobs:
   build:
+    permissions:
+      contents: write # for actions/upload-release-asset to upload release asset
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
index 14b17d68424cad57cad16d81011fae870bb256ba..bbc39935f8917c1835c95eae953600ac632c6b4b 100644 (file)
@@ -11,6 +11,9 @@ on:
       - "docs/**"
       - "*.md"
 
       - "docs/**"
       - "*.md"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     # We want to run on external PRs, but not on our own internal PRs as they'll be run
 jobs:
   build:
     # We want to run on external PRs, but not on our own internal PRs as they'll be run