Merge pull request #12952 from sashashura/patch-1

ci: workflows security hardening
2026-01-11 01:57:35 -03:30 · 2023-04-11 15:51:07 -04:00 · 2023-04-11 15:51:07 -04:00 · 3975028bd4
commit 3975028bd4
parent 1c51ef8a69 b3bda415da
3 changed files with 11 additions and 0 deletions
--- a/.github/workflows/label_issue.yml
+++ b/.github/workflows/label_issue.yml
@ -6,6 +6,10 @@ on:
      - opened
      - reopened

+    permissions:
+      contents: read # to fetch code
+      issues: write # to label issues
+
 jobs:
  triage:
    runs-on: ubuntu-latest
--- a/.github/workflows/label_pr.yml
+++ b/.github/workflows/label_pr.yml
@ -7,6 +7,10 @@ on:
      - reopened
      - synchronize

+permissions:
+  contents: read # to determine modified files (actions/labeler)
+  pull-requests: write # to add labels to PRs (actions/labeler)
+
 jobs:
  triage:
    runs-on: ubuntu-latest
--- a/.github/workflows/promote.yml
+++ b/.github/workflows/promote.yml
@ -8,6 +8,9 @@ on:
  release:
    types: [published]

+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
  promote:
    if: endsWith(github.repository, '/awx')