chore: GitHub Workflows security hardening (#2740)

* build: harden tests.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * build: harden release-please.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * build: harden visual-studio.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * Update release-please.yml --------- Signed-off-by: Alex <aleksandrosansan@gmail.com>
nodejs · Oct 27, 2023 · 26683e9 · 26683e9
1 parent 91fd8ff
commit 26683e9
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -7,6 +7,10 @@ on:
 
 jobs:
   release-please:
+    permissions:
+      contents: write # to create release commit (google-github-actions/release-please-action)
+      pull-requests: write # to create release PR (google-github-actions/release-please-action)
+
     runs-on: ubuntu-latest
     steps:
       - uses: google-github-actions/release-please-action@v2

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -7,6 +7,10 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   Lint_Python:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/visual-studio.yml b/.github/workflows/visual-studio.yml
@@ -6,6 +6,10 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   visual-studio:
     strategy: