From 98e40d8a010ceea485873e764d5ed53994c4311d Mon Sep 17 00:00:00 2001 From: erezrokah Date: Mon, 29 Sep 2025 15:26:56 +0100 Subject: [PATCH] chore: Add permissions to all workflows --- .github/workflows/add_tags.yml | 15 --------------- .github/workflows/lint_golang.yml | 3 +++ .github/workflows/pr_title.yml | 5 ++++- .github/workflows/regen.yml | 3 +++ .github/workflows/release_pr.yml | 3 +++ .github/workflows/unittest.yml | 5 ++++- 6 files changed, 17 insertions(+), 17 deletions(-) delete mode 100644 .github/workflows/add_tags.yml diff --git a/.github/workflows/add_tags.yml b/.github/workflows/add_tags.yml deleted file mode 100644 index 9b62d7c6..00000000 --- a/.github/workflows/add_tags.yml +++ /dev/null @@ -1,15 +0,0 @@ -# Warning, do not check out untrusted code with -# the pull_request_target event. -# the current workflow IS safe as long as you dont checkout untrusted code -# https://nathandavison.com/blog/github-actions-and-the-threat-of-malicious-pull-requests -on: - pull_request_target: - types: [opened, edited] -name: conventional-release-labels -jobs: - label: - runs-on: ubuntu-latest - steps: - - uses: bcoe/conventional-release-labels@v1 - with: - type_labels: '{ "feat": "feat", "fix": "fix", "chore": "chore", "refactor": "refactor", "test": "test", "breaking": "breaking" }' \ No newline at end of file diff --git a/.github/workflows/lint_golang.yml b/.github/workflows/lint_golang.yml index cf3350e2..6eb0977b 100644 --- a/.github/workflows/lint_golang.yml +++ b/.github/workflows/lint_golang.yml @@ -7,6 +7,9 @@ on: branches: - main +permissions: + contents: read + jobs: golangci: name: Lint with GolangCI diff --git a/.github/workflows/pr_title.yml b/.github/workflows/pr_title.yml index 8511fa9f..8a6f52af 100644 --- a/.github/workflows/pr_title.yml +++ b/.github/workflows/pr_title.yml @@ -7,6 +7,9 @@ on: - edited - synchronize +permissions: + pull-requests: read + jobs: main: name: Validate PR title @@ -44,7 +47,7 @@ jobs: # special "[WIP]" prefix to indicate this state. This will avoid the # validation of the PR title and the pull request checks remain pending. # Note that a second check will be reported if this is enabled. - wip: true + wip: false # When using "Squash and merge" on a PR with only one commit, GitHub # will suggest using that commit message instead of the PR title for the # merge commit, and it's easy to commit this by mistake. Enable this option diff --git a/.github/workflows/regen.yml b/.github/workflows/regen.yml index 62e19cf1..dab90cf9 100644 --- a/.github/workflows/regen.yml +++ b/.github/workflows/regen.yml @@ -4,6 +4,9 @@ on: - cron: "0 8 * * *" workflow_dispatch: +permissions: + contents: read + jobs: regen: timeout-minutes: 30 diff --git a/.github/workflows/release_pr.yml b/.github/workflows/release_pr.yml index fcda8f73..69f61c47 100644 --- a/.github/workflows/release_pr.yml +++ b/.github/workflows/release_pr.yml @@ -4,6 +4,9 @@ on: branches: - main +permissions: + contents: read + jobs: release-please: runs-on: ubuntu-latest diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml index a773a9d8..4dc245ef 100644 --- a/.github/workflows/unittest.yml +++ b/.github/workflows/unittest.yml @@ -7,6 +7,9 @@ on: branches: - main +permissions: + contents: read + jobs: unitests: timeout-minutes: 30 @@ -28,4 +31,4 @@ jobs: run: make test env: CLOUDQUERY_TEAM_NAME: ${{ secrets.CLOUDQUERY_TEAM_NAME }} - CLOUDQUERY_API_KEY: ${{ secrets.CLOUDQUERY_API_KEY }} \ No newline at end of file + CLOUDQUERY_API_KEY: ${{ secrets.CLOUDQUERY_API_KEY }}