diff --git a/.github/workflows/archaeologist-dig.yml b/.github/workflows/archaeologist-dig.yml index 4be9246226ce..e1cd07da72c8 100644 --- a/.github/workflows/archaeologist-dig.yml +++ b/.github/workflows/archaeologist-dig.yml @@ -3,10 +3,14 @@ name: Archaeologist on: pull_request: +permissions: {} + jobs: archaeologist-dig: name: Archaeologist Dig runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout Electron uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.0.2 diff --git a/.github/workflows/build-git-cache.yml b/.github/workflows/build-git-cache.yml index 43daf56e5aa3..d21c0f0d6756 100644 --- a/.github/workflows/build-git-cache.yml +++ b/.github/workflows/build-git-cache.yml @@ -6,9 +6,13 @@ on: schedule: - cron: "0 0 * * *" +permissions: {} + jobs: build-git-cache-linux: runs-on: electron-arc-centralus-linux-amd64-32core + permissions: + contents: read container: image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1 options: --user root @@ -30,6 +34,8 @@ jobs: build-git-cache-windows: runs-on: electron-arc-centralus-linux-amd64-32core + permissions: + contents: read container: image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1 options: --user root --device /dev/fuse --cap-add SYS_ADMIN @@ -52,6 +58,8 @@ jobs: build-git-cache-macos: runs-on: electron-arc-centralus-linux-amd64-32core + permissions: + contents: read # This job updates the same git cache as linux, so it needs to run after the linux one. needs: build-git-cache-linux container: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 756ade3b2381..28b71bd1d8ed 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -43,10 +43,13 @@ defaults: run: shell: bash +permissions: {} + jobs: setup: runs-on: ubuntu-latest permissions: + contents: read pull-requests: read outputs: docs: ${{ steps.filter.outputs.docs }} @@ -84,6 +87,8 @@ jobs: needs: setup if: ${{ !inputs.skip-lint }} uses: ./.github/workflows/pipeline-electron-lint.yml + permissions: + contents: read with: container: '{"image":"ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }}","options":"--user root"}' secrets: inherit @@ -93,6 +98,8 @@ jobs: needs: [setup, checkout-linux] if: ${{ needs.setup.outputs.docs-only == 'true' }} uses: ./.github/workflows/pipeline-electron-docs-only.yml + permissions: + contents: read with: container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}' secrets: inherit @@ -102,6 +109,8 @@ jobs: needs: setup if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-macos}} runs-on: electron-arc-centralus-linux-amd64-32core + permissions: + contents: read container: image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }} options: --user root @@ -130,6 +139,8 @@ jobs: needs: setup if: ${{ !inputs.skip-linux}} runs-on: electron-arc-centralus-linux-amd64-32core + permissions: + contents: read container: image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }} options: --user root @@ -159,6 +170,8 @@ jobs: needs: setup if: ${{ needs.setup.outputs.src == 'true' && !inputs.skip-windows }} runs-on: electron-arc-centralus-linux-amd64-32core + permissions: + contents: read container: image: ghcr.io/electron/build:${{ needs.setup.outputs.build-image-sha }} options: --user root --device /dev/fuse --cap-add SYS_ADMIN @@ -189,6 +202,8 @@ jobs: # GN Check Jobs macos-gn-check: uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml + permissions: + contents: read needs: checkout-macos with: target-platform: macos @@ -199,6 +214,8 @@ jobs: linux-gn-check: uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml + permissions: + contents: read needs: checkout-linux if: ${{ needs.setup.outputs.src == 'true' }} with: @@ -211,6 +228,8 @@ jobs: windows-gn-check: uses: ./.github/workflows/pipeline-segment-electron-gn-check.yml + permissions: + contents: read needs: checkout-windows with: target-platform: win @@ -404,6 +423,8 @@ jobs: gha-done: name: GitHub Actions Completed runs-on: ubuntu-latest + permissions: + contents: read needs: [docs-only, macos-x64, macos-arm64, linux-x64, linux-x64-asan, linux-arm, linux-arm64, windows-x64, windows-x86, windows-arm64] if: always() && !contains(needs.*.result, 'failure') steps: diff --git a/.github/workflows/clean-src-cache.yml b/.github/workflows/clean-src-cache.yml index 9a1bfddccc88..d632ba2d5fa3 100644 --- a/.github/workflows/clean-src-cache.yml +++ b/.github/workflows/clean-src-cache.yml @@ -1,16 +1,20 @@ name: Clean Source Cache -description: | - This workflow cleans up the source cache on the cross-instance cache volume - to free up space. It runs daily at midnight and clears files older than 15 days. +# Description: +# This workflow cleans up the source cache on the cross-instance cache volume +# to free up space. It runs daily at midnight and clears files older than 15 days. on: schedule: - cron: "0 0 * * *" +permissions: {} + jobs: clean-src-cache: runs-on: electron-arc-centralus-linux-amd64-32core + permissions: + contents: read container: image: ghcr.io/electron/build:bc2f48b2415a670de18d13605b1cf0eb5fdbaae1 options: --user root diff --git a/.github/workflows/issue-labeled.yml b/.github/workflows/issue-labeled.yml index b21691b0ca9c..75fe70ea150b 100644 --- a/.github/workflows/issue-labeled.yml +++ b/.github/workflows/issue-labeled.yml @@ -4,14 +4,15 @@ on: issues: types: [labeled] -permissions: # added using https://github.com/step-security/secure-workflows - contents: read +permissions: {} jobs: issue-labeled-with-status: name: status/{confirmed,reviewed} label added if: github.event.label.name == 'status/confirmed' || github.event.label.name == 'status/reviewed' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Generate GitHub App token uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1 @@ -31,6 +32,8 @@ jobs: name: blocked/* label added if: startsWith(github.event.label.name, 'blocked/') runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Generate GitHub App token uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1 diff --git a/.github/workflows/issue-opened.yml b/.github/workflows/issue-opened.yml index fb564177fa1a..c05f238f41d7 100644 --- a/.github/workflows/issue-opened.yml +++ b/.github/workflows/issue-opened.yml @@ -11,6 +11,7 @@ jobs: add-to-issue-triage: if: ${{ contains(github.event.issue.labels.*.name, 'bug :beetle:') }} runs-on: ubuntu-latest + permissions: {} steps: - name: Generate GitHub App token uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1 @@ -28,6 +29,7 @@ jobs: set-labels: if: ${{ contains(github.event.issue.labels.*.name, 'bug :beetle:') }} runs-on: ubuntu-latest + permissions: {} steps: - name: Generate GitHub App token uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1 diff --git a/.github/workflows/issue-transferred.yml b/.github/workflows/issue-transferred.yml index 2e5543ae9ec5..29a9c846a963 100644 --- a/.github/workflows/issue-transferred.yml +++ b/.github/workflows/issue-transferred.yml @@ -10,6 +10,7 @@ jobs: issue-transferred: name: Issue Transferred runs-on: ubuntu-latest + permissions: {} if: ${{ !github.event.changes.new_repository.private }} steps: - name: Generate GitHub App token diff --git a/.github/workflows/issue-unlabeled.yml b/.github/workflows/issue-unlabeled.yml index a7080a896713..04067970525f 100644 --- a/.github/workflows/issue-unlabeled.yml +++ b/.github/workflows/issue-unlabeled.yml @@ -4,14 +4,15 @@ on: issues: types: [unlabeled] -permissions: - contents: read +permissions: {} jobs: issue-unlabeled-blocked: name: All blocked/* labels removed if: startsWith(github.event.label.name, 'blocked/') && github.event.issue.state == 'open' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Check for any blocked labels id: check-for-blocked-labels diff --git a/.github/workflows/linux-publish.yml b/.github/workflows/linux-publish.yml index 5903fc925c4b..5a010199515f 100644 --- a/.github/workflows/linux-publish.yml +++ b/.github/workflows/linux-publish.yml @@ -17,9 +17,13 @@ on: type: boolean default: false +permissions: {} + jobs: checkout-linux: runs-on: electron-arc-centralus-linux-amd64-32core + permissions: + contents: read container: image: ghcr.io/electron/build:${{ inputs.build-image-sha }} options: --user root @@ -40,6 +44,8 @@ jobs: publish-x64: uses: ./.github/workflows/pipeline-segment-electron-build.yml + permissions: + contents: read needs: checkout-linux with: environment: production-release @@ -55,6 +61,8 @@ jobs: publish-arm: uses: ./.github/workflows/pipeline-segment-electron-build.yml + permissions: + contents: read needs: checkout-linux with: environment: production-release @@ -70,6 +78,8 @@ jobs: publish-arm64: uses: ./.github/workflows/pipeline-segment-electron-build.yml + permissions: + contents: read needs: checkout-linux with: environment: production-release diff --git a/.github/workflows/macos-publish.yml b/.github/workflows/macos-publish.yml index faf1aae291aa..0c5f45a9dcb4 100644 --- a/.github/workflows/macos-publish.yml +++ b/.github/workflows/macos-publish.yml @@ -18,9 +18,13 @@ on: type: boolean default: false +permissions: {} + jobs: checkout-macos: runs-on: electron-arc-centralus-linux-amd64-32core + permissions: + contents: read container: image: ghcr.io/electron/build:${{ inputs.build-image-sha }} options: --user root @@ -44,6 +48,8 @@ jobs: publish-x64-darwin: uses: ./.github/workflows/pipeline-segment-electron-build.yml + permissions: + contents: read needs: checkout-macos with: environment: production-release @@ -59,6 +65,8 @@ jobs: publish-x64-mas: uses: ./.github/workflows/pipeline-segment-electron-build.yml + permissions: + contents: read needs: checkout-macos with: environment: production-release @@ -74,6 +82,8 @@ jobs: publish-arm64-darwin: uses: ./.github/workflows/pipeline-segment-electron-build.yml + permissions: + contents: read needs: checkout-macos with: environment: production-release @@ -89,6 +99,8 @@ jobs: publish-arm64-mas: uses: ./.github/workflows/pipeline-segment-electron-build.yml + permissions: + contents: read needs: checkout-macos with: environment: production-release diff --git a/.github/workflows/pipeline-electron-build-and-test-and-nan.yml b/.github/workflows/pipeline-electron-build-and-test-and-nan.yml index f4a7ec524356..8ba78ac23fb3 100644 --- a/.github/workflows/pipeline-electron-build-and-test-and-nan.yml +++ b/.github/workflows/pipeline-electron-build-and-test-and-nan.yml @@ -55,6 +55,8 @@ on: type: boolean default: false +permissions: {} + concurrency: group: electron-build-and-test-and-nan-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }} cancel-in-progress: ${{ github.ref_protected != true }} @@ -62,6 +64,8 @@ concurrency: jobs: build: uses: ./.github/workflows/pipeline-segment-electron-build.yml + permissions: + contents: read with: build-runs-on: ${{ inputs.build-runs-on }} build-container: ${{ inputs.build-container }} @@ -74,6 +78,10 @@ jobs: secrets: inherit test: uses: ./.github/workflows/pipeline-segment-electron-test.yml + permissions: + contents: read + issues: read + pull-requests: read needs: build with: target-arch: ${{ inputs.target-arch }} @@ -83,6 +91,8 @@ jobs: secrets: inherit nn-test: uses: ./.github/workflows/pipeline-segment-node-nan-test.yml + permissions: + contents: read needs: build with: target-arch: ${{ inputs.target-arch }} diff --git a/.github/workflows/pipeline-electron-build-and-test.yml b/.github/workflows/pipeline-electron-build-and-test.yml index ee043fb31795..258bd969d767 100644 --- a/.github/workflows/pipeline-electron-build-and-test.yml +++ b/.github/workflows/pipeline-electron-build-and-test.yml @@ -64,14 +64,13 @@ concurrency: group: electron-build-and-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }} cancel-in-progress: ${{ github.ref_protected != true }} -permissions: - contents: read - issues: read - pull-requests: read +permissions: {} jobs: build: uses: ./.github/workflows/pipeline-segment-electron-build.yml + permissions: + contents: read with: build-runs-on: ${{ inputs.build-runs-on }} build-container: ${{ inputs.build-container }} @@ -86,6 +85,10 @@ jobs: secrets: inherit test: uses: ./.github/workflows/pipeline-segment-electron-test.yml + permissions: + contents: read + issues: read + pull-requests: read needs: build with: target-arch: ${{ inputs.target-arch }} diff --git a/.github/workflows/pipeline-electron-docs-only.yml b/.github/workflows/pipeline-electron-docs-only.yml index a1d2dc525616..9c9e35c64b1f 100644 --- a/.github/workflows/pipeline-electron-docs-only.yml +++ b/.github/workflows/pipeline-electron-docs-only.yml @@ -8,6 +8,8 @@ on: description: 'Container to run the docs-only ts compile in' type: string +permissions: {} + concurrency: group: electron-docs-only-${{ github.ref }} cancel-in-progress: true @@ -19,6 +21,8 @@ jobs: docs-only: name: Docs Only Compile runs-on: electron-arc-centralus-linux-amd64-4core + permissions: + contents: read timeout-minutes: 20 container: ${{ fromJSON(inputs.container) }} steps: diff --git a/.github/workflows/pipeline-electron-lint.yml b/.github/workflows/pipeline-electron-lint.yml index 7c1b27d0a33b..e767e0518448 100644 --- a/.github/workflows/pipeline-electron-lint.yml +++ b/.github/workflows/pipeline-electron-lint.yml @@ -8,6 +8,8 @@ on: description: 'Container to run lint in' type: string +permissions: {} + concurrency: group: electron-lint-${{ github.ref_protected == true && github.run_id || github.ref }} cancel-in-progress: ${{ github.ref_protected != true }} @@ -19,6 +21,8 @@ jobs: lint: name: Lint runs-on: electron-arc-centralus-linux-amd64-4core + permissions: + contents: read timeout-minutes: 20 container: ${{ fromJSON(inputs.container) }} steps: diff --git a/.github/workflows/pipeline-segment-electron-build.yml b/.github/workflows/pipeline-segment-electron-build.yml index 23ee025b6c51..9ad7cd2e394a 100644 --- a/.github/workflows/pipeline-segment-electron-build.yml +++ b/.github/workflows/pipeline-segment-electron-build.yml @@ -59,6 +59,8 @@ on: type: boolean default: false +permissions: {} + concurrency: group: electron-build-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.target-variant }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }} cancel-in-progress: ${{ github.ref_protected != true }} @@ -81,6 +83,8 @@ jobs: run: shell: bash runs-on: ${{ inputs.build-runs-on }} + permissions: + contents: read container: ${{ fromJSON(inputs.build-container) }} environment: ${{ inputs.environment }} env: diff --git a/.github/workflows/pipeline-segment-electron-gn-check.yml b/.github/workflows/pipeline-segment-electron-gn-check.yml index 48fe70307814..e274b07d40f4 100644 --- a/.github/workflows/pipeline-segment-electron-gn-check.yml +++ b/.github/workflows/pipeline-segment-electron-gn-check.yml @@ -26,6 +26,8 @@ on: type: string default: testing +permissions: {} + concurrency: group: electron-gn-check-${{ inputs.target-platform }}-${{ github.ref }} cancel-in-progress: true @@ -41,6 +43,8 @@ jobs: run: shell: bash runs-on: ${{ inputs.check-runs-on }} + permissions: + contents: read container: ${{ fromJSON(inputs.check-container) }} steps: - name: Checkout Electron diff --git a/.github/workflows/pipeline-segment-electron-test.yml b/.github/workflows/pipeline-segment-electron-test.yml index dc3fecb3e2ec..71f90d5f5d51 100644 --- a/.github/workflows/pipeline-segment-electron-test.yml +++ b/.github/workflows/pipeline-segment-electron-test.yml @@ -35,10 +35,7 @@ concurrency: group: electron-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ inputs.is-asan }}-${{ github.ref_protected == true && github.run_id || github.ref }} cancel-in-progress: ${{ github.ref_protected != true }} -permissions: - contents: read - issues: read - pull-requests: read +permissions: {} env: CHROMIUM_GIT_COOKIE: ${{ secrets.CHROMIUM_GIT_COOKIE }} @@ -53,6 +50,10 @@ jobs: run: shell: bash runs-on: ${{ inputs.test-runs-on }} + permissions: + contents: read + issues: read + pull-requests: read container: ${{ fromJSON(inputs.test-container) }} strategy: fail-fast: false diff --git a/.github/workflows/pipeline-segment-node-nan-test.yml b/.github/workflows/pipeline-segment-node-nan-test.yml index 087bf6772995..7000a211d024 100644 --- a/.github/workflows/pipeline-segment-node-nan-test.yml +++ b/.github/workflows/pipeline-segment-node-nan-test.yml @@ -26,6 +26,8 @@ on: type: string default: testing +permissions: {} + concurrency: group: electron-node-nan-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }} cancel-in-progress: ${{ github.ref_protected != true }} @@ -39,6 +41,8 @@ jobs: node-tests: name: Run Node.js Tests runs-on: electron-arc-centralus-linux-amd64-8core + permissions: + contents: read timeout-minutes: 30 env: TARGET_ARCH: ${{ inputs.target-arch }} @@ -93,6 +97,8 @@ jobs: nan-tests: name: Run Nan Tests runs-on: electron-arc-centralus-linux-amd64-4core + permissions: + contents: read timeout-minutes: 30 env: TARGET_ARCH: ${{ inputs.target-arch }} diff --git a/.github/workflows/pull-request-labeled.yml b/.github/workflows/pull-request-labeled.yml index 3a45965d0eb2..b827678ccc36 100644 --- a/.github/workflows/pull-request-labeled.yml +++ b/.github/workflows/pull-request-labeled.yml @@ -11,6 +11,7 @@ jobs: name: backport/requested label added if: github.event.label.name == 'backport/requested 🗳' runs-on: ubuntu-latest + permissions: {} steps: - name: Trigger Slack workflow uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0 @@ -28,6 +29,7 @@ jobs: name: deprecation-review/complete label added if: github.event.label.name == 'deprecation-review/complete ✅' runs-on: ubuntu-latest + permissions: {} steps: - name: Generate GitHub App token uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1 diff --git a/.github/workflows/semantic.yml b/.github/workflows/semantic.yml index 1b96a50153e4..ec163bd0de17 100644 --- a/.github/workflows/semantic.yml +++ b/.github/workflows/semantic.yml @@ -7,8 +7,7 @@ on: - edited - synchronize -permissions: - contents: read +permissions: {} jobs: main: diff --git a/.github/workflows/stable-prep-items.yml b/.github/workflows/stable-prep-items.yml index 576ddbc16c8b..963a69ad17a1 100644 --- a/.github/workflows/stable-prep-items.yml +++ b/.github/workflows/stable-prep-items.yml @@ -11,6 +11,7 @@ jobs: check-stable-prep-items: name: Check Stable Prep Items runs-on: ubuntu-latest + permissions: {} steps: - name: Generate GitHub App token uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 7fd2e20fa5e5..f3e647d12c58 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -10,6 +10,7 @@ permissions: {} jobs: stale: runs-on: ubuntu-latest + permissions: {} steps: - name: Generate GitHub App token uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1 @@ -31,6 +32,7 @@ jobs: only-pr-labels: not-a-real-label pending-repro: runs-on: ubuntu-latest + permissions: {} if: ${{ always() }} needs: stale steps: diff --git a/.github/workflows/windows-publish.yml b/.github/workflows/windows-publish.yml index b72e045d7679..53fd4161bf28 100644 --- a/.github/workflows/windows-publish.yml +++ b/.github/workflows/windows-publish.yml @@ -18,9 +18,13 @@ on: type: boolean default: false +permissions: {} + jobs: checkout-windows: runs-on: electron-arc-centralus-linux-amd64-32core + permissions: + contents: read container: image: ghcr.io/electron/build:${{ inputs.build-image-sha }} options: --user root --device /dev/fuse --cap-add SYS_ADMIN @@ -48,6 +52,8 @@ jobs: publish-x64-win: uses: ./.github/workflows/pipeline-segment-electron-build.yml + permissions: + contents: read needs: checkout-windows with: environment: production-release @@ -62,6 +68,8 @@ jobs: publish-arm64-win: uses: ./.github/workflows/pipeline-segment-electron-build.yml + permissions: + contents: read needs: checkout-windows with: environment: production-release @@ -76,6 +84,8 @@ jobs: publish-x86-win: uses: ./.github/workflows/pipeline-segment-electron-build.yml + permissions: + contents: read needs: checkout-windows with: environment: production-release