GitHub Workflows security hardening (#1193)

* build: harden validate.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * Update validate.yml Signed-off-by: Alex <aleksandrosansan@gmail.com> Co-authored-by: Sebastian Silbermann <silbermann.sebastian@gmail.com>
testing-library · Dec 23, 2022 · acedf31 · acedf31
1 parent fe12e5b
commit acedf31
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -12,8 +12,14 @@ on:
       - 'alpha'
       - '!all-contributors/**'
   pull_request: {}
+
+permissions: {}
+
 jobs:
   main:
+    permissions:
+      actions: write #  to cancel/stop running workflows (styfle/cancel-workflow-action)
+      contents: read #  to fetch code (actions/checkout)
     # ignore all-contributors PRs
     if: ${{ !contains(github.head_ref, 'all-contributors') }}
     strategy:
@@ -56,6 +62,10 @@ jobs:
           flags: node-${{ matrix.node }}
 
   release:
+    permissions:
+      actions: write #  to cancel/stop running workflows (styfle/cancel-workflow-action)
+      contents: write #  to create release tags (cycjimmy/semantic-release-action)
+
     needs: main
     runs-on: ubuntu-latest
     if: