From e2be89632dec7a1b243ee0c74762f1db4fe5a5a1 Mon Sep 17 00:00:00 2001 From: Arnout Engelen Date: Mon, 17 Jun 2024 17:37:32 +0200 Subject: [PATCH] chore: restrict GitHub actions permissions Be more selective in granting permissions to actions --- .github/workflows/dependency-graph.yml | 7 +++++++ .github/workflows/scala-steward.yml | 4 ++++ 2 files changed, 11 insertions(+) diff --git a/.github/workflows/dependency-graph.yml b/.github/workflows/dependency-graph.yml index e96c3efbc8a..c2c08140a43 100644 --- a/.github/workflows/dependency-graph.yml +++ b/.github/workflows/dependency-graph.yml @@ -3,6 +3,9 @@ on: push: branches: - main # default branch of the project + +permissions: {} + jobs: dependency-graph: name: Update Dependency Graph @@ -10,3 +13,7 @@ jobs: steps: - uses: actions/checkout@v4 - uses: scalacenter/sbt-dependency-submission@v2 + permissions: + # The API requires write permission on the repository + # to submit dependencies + contents: write diff --git a/.github/workflows/scala-steward.yml b/.github/workflows/scala-steward.yml index 08a13210fe1..64ee65f7a80 100644 --- a/.github/workflows/scala-steward.yml +++ b/.github/workflows/scala-steward.yml @@ -5,6 +5,10 @@ on: name: Launch Scala Steward +# The GitHub Action doesn't need permissions: it only reads already-public +# data and creates PRs through the scala-steward-asf bot: +permissions: {} + jobs: scala-steward: runs-on: ubuntu-22.04