Skip to content

Commit 1375beb

Browse files
committed
fix(ci): add least-privilege permissions to workflow files
Add top-level permissions blocks following the two-tier permission pattern recommended by OpenSSF Scorecard: - stale.yml: add `permissions: {}` at workflow level (job already has issues: write + pull-requests: write) - build_external_container_images.yaml: move `packages: write` from workflow level to job level; set workflow level to `permissions: read-all` scm_configuration_check.yaml already had `permissions: read-all` at workflow level so no change was needed. Fixes #2841 Signed-off-by: Vibhav Bobade <vibhav.bobde@gmail.com>
1 parent 84e5e54 commit 1375beb

2 files changed

Lines changed: 6 additions & 3 deletions

File tree

.github/workflows/build_external_container_images.yaml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,14 +3,15 @@ name: Build Bitnami Container Images
33
on:
44
workflow_dispatch:
55

6-
permissions:
7-
contents: read
8-
packages: write
6+
permissions: read-all
97

108
jobs:
119
build_and_push_images:
1210
name: Build and Push ${{ matrix.image.name }} Image
1311
runs-on: ubuntu-latest
12+
permissions:
13+
contents: read
14+
packages: write
1415
strategy:
1516
matrix:
1617
image:

.github/workflows/stale.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ on:
55
- cron: '30 1 * * *'
66
workflow_dispatch:
77

8+
permissions: {}
9+
810
jobs:
911
close-issues:
1012
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)