GitHub Workflows security hardening (#1451)

lostisland · Oct 10, 2022 · 36916f0 · 36916f0
1 parent 4024f4d
commit 36916f0
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,6 +11,9 @@ env:
   GIT_BRANCH: ${{ github.ref }}
   COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   linting:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,6 +4,8 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read  # to checkout the code (actions/checkout)
 jobs:
   build:
     name: Publish to Rubygems

diff --git a/.github/workflows/refresh_team_page.yml b/.github/workflows/refresh_team_page.yml
@@ -4,6 +4,7 @@ on:
   push:
     branches: [ main ]
 
+permissions: {}
 jobs:
   build:
     name: Refresh Contributors Stats