ci: add default action permissions (#36363)

* [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

* Delete dependabot.yml

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: Jeremy Rose <nornagon@nornagon.net>
This commit is contained in:
Step Security Bot 2022-11-16 12:44:25 -08:00 committed by GitHub
parent bd345358f6
commit 517225b99e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 0 deletions

View file

@ -10,6 +10,9 @@ on:
type: text type: text
required: true required: true
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
electron-woa-init: electron-woa-init:
if: ${{ github.event_name == 'push' && github.repository == 'electron/electron' }} if: ${{ github.event_name == 'push' && github.repository == 'electron/electron' }}

View file

@ -4,8 +4,14 @@ on:
issues: issues:
types: [labeled] types: [labeled]
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
issue-labeled: issue-labeled:
permissions:
issues: write # for actions-cool/issues-helper to update issues
pull-requests: write # for actions-cool/issues-helper to update PRs
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: blocked/need-repro - name: blocked/need-repro

View file

@ -7,6 +7,9 @@ on:
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
check_tag: check_tag:
runs-on: ubuntu-latest runs-on: ubuntu-latest