From fbbe6560bbd8732186b071cc75ff4d52e4262405 Mon Sep 17 00:00:00 2001 From: Ewan Harris Date: Tue, 5 Nov 2024 09:46:18 +0000 Subject: [PATCH] chore(ci): restrict workflow permissions --- config/clients/dotnet/config.overrides.json | 4 ++++ .../dotnet/template/.github/workflows/main.yaml.mustache | 6 ++++++ config/common/files/.github/workflows/semgrep.yaml | 4 ++++ 3 files changed, 14 insertions(+) diff --git a/config/clients/dotnet/config.overrides.json b/config/clients/dotnet/config.overrides.json index 667d46ac..d271f1cf 100644 --- a/config/clients/dotnet/config.overrides.json +++ b/config/clients/dotnet/config.overrides.json @@ -35,6 +35,10 @@ "hashCodeMultiplierPrimeNumber": 9923, "supportsOpenTelemetry": true, "files": { + ".github/workflows/main.yaml.mustache": { + "destinationFilename": ".github/workflows/main.yaml", + "templateType": "SupportingFiles" + }, "Client_OAuth2Client.mustache": { "destinationFilename": "src/OpenFga.Sdk/ApiClient/OAuth2Client.cs", "templateType": "SupportingFiles" diff --git a/config/clients/dotnet/template/.github/workflows/main.yaml.mustache b/config/clients/dotnet/template/.github/workflows/main.yaml.mustache index 2bd5a30f..eb5b452f 100644 --- a/config/clients/dotnet/template/.github/workflows/main.yaml.mustache +++ b/config/clients/dotnet/template/.github/workflows/main.yaml.mustache @@ -7,6 +7,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest @@ -81,6 +84,9 @@ jobs: if: startsWith(github.ref, 'refs/tags/v') needs: publish + permissions: + contents: write + steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/config/common/files/.github/workflows/semgrep.yaml b/config/common/files/.github/workflows/semgrep.yaml index cab8eb40..cbda2090 100644 --- a/config/common/files/.github/workflows/semgrep.yaml +++ b/config/common/files/.github/workflows/semgrep.yaml @@ -3,6 +3,10 @@ on: push: branches: - main + +permissions: + contents: read + jobs: semgrep: name: Scan