Skip to content

Commit

Permalink
Harden workflows by defining only strictly needed permissions for all…
Browse files Browse the repository at this point in the history
… of them (#174)

* Define only needed write permissions
  • Loading branch information
Lorenzooone authored Jul 5, 2022
1 parent 64c1d92 commit 7c9408e
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 5 deletions.
7 changes: 6 additions & 1 deletion .github/workflows/build_master.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
name: Build
on:
# Trigger the workflow on push or pull request,
# Trigger the workflow on push,
# but only for the master branch
push:
branches:
- master

permissions: read-all

jobs:
build:
name: Patch building
Expand All @@ -23,6 +26,8 @@ jobs:
name: Patch publishing
runs-on: ubuntu-latest
needs: build
permissions:
contents: write
steps:
- name: Download a single artifact
uses: actions/download-artifact@v3
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/build_pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ name: Build PR
on:
pull_request:
branches: master

permissions: read-all

jobs:
build:
Expand Down
23 changes: 19 additions & 4 deletions .github/workflows/test_master.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
name: Test
on:
# Trigger the workflow on push or pull request,
# Trigger the workflow on push,
# but only for the master branch
push:
branches:
- master

permissions: read-all

jobs:
test:
name: Testing
Expand All @@ -26,12 +29,24 @@ jobs:
with:
name: test-report
path: out/test.log
- name: Create Issue for Test failure
if: failure()

issue_creation:
name: Create issue on failure
runs-on: ubuntu-latest
permissions:
issues: write
needs: test
if: failure()
steps:
- name: Download a single artifact
uses: actions/download-artifact@v3
with:
name: test-report
- name: Create the issue
uses: peter-evans/create-issue-from-file@v4
with:
title: Test failure
content-filepath: out/test.log
content-filepath: test.log
labels: |
report
automated issue

0 comments on commit 7c9408e

Please sign in to comment.