build: GitHub Workflows security hardening (#2238)

* build: harden ci.yaml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * build: harden release-please.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> Co-authored-by: Benjamin E. Coe <bencoe@google.com>
yargs · Nov 3, 2022 · bc84a61 · bc84a61
1 parent f727e71
commit bc84a61
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -5,6 +5,9 @@ on:
   pull_request:
     types: [ assigned, opened, synchronize, reopened, labeled ]
 name: ci
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -3,8 +3,13 @@ on:
      branches:
        - main
 name: release-please
+permissions: {}
 jobs:
   release-please:
+    permissions:
+      contents: write # to create release commit (google-github-actions/release-please-action)
+      pull-requests: write # to create release PR (google-github-actions/release-please-action)
+
     runs-on: ubuntu-latest
     steps:
       - uses: google-github-actions/release-please-action@v3