From 3e9ffccfd23f61e1b1041d378405f82c953428da Mon Sep 17 00:00:00 2001 From: jamesmaa Date: Tue, 20 Aug 2024 16:00:01 -0700 Subject: [PATCH 1/4] Add top level read content permissions --- .github/workflows/bench.yml | 3 ++- .github/workflows/codeql.yml | 3 ++- .github/workflows/delay.yml | 3 ++- .github/workflows/playwright_comment.yml | 3 ++- .github/workflows/release.yml | 3 ++- .github/workflows/touch-google-refresh-token.yml | 3 ++- 6 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml index 004e806b77..b365d4567d 100644 --- a/.github/workflows/bench.yml +++ b/.github/workflows/bench.yml @@ -1,5 +1,6 @@ name: Performance Benchmarks - +permissions: + contents: read on: push: branches: [master] diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index cf7f1f145d..386192a09e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,7 +10,8 @@ # supported CodeQL languages. # name: "CodeQL" - +permissions: + contents: read on: push: branches: [ "master" ] diff --git a/.github/workflows/delay.yml b/.github/workflows/delay.yml index e3859f262b..189b91862f 100644 --- a/.github/workflows/delay.yml +++ b/.github/workflows/delay.yml @@ -22,7 +22,8 @@ on: description: "Max attempts" required: false default: "10" -permissions: {} +permissions: + contents: read jobs: delay: runs-on: ubuntu-latest diff --git a/.github/workflows/playwright_comment.yml b/.github/workflows/playwright_comment.yml index f3017775f4..e9e6a9d07d 100644 --- a/.github/workflows/playwright_comment.yml +++ b/.github/workflows/playwright_comment.yml @@ -5,7 +5,8 @@ on: workflows: ["Playwright Tests"] types: - completed -permissions: {} +permissions: + contents: read jobs: playwright_comment: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6a50e8c7f6..6353484358 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,7 +2,8 @@ name: release on: release: types: [released] -permissions: {} +permissions: + contents: read jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/touch-google-refresh-token.yml b/.github/workflows/touch-google-refresh-token.yml index 03b407513b..09399984a3 100644 --- a/.github/workflows/touch-google-refresh-token.yml +++ b/.github/workflows/touch-google-refresh-token.yml @@ -3,7 +3,8 @@ on: schedule: - cron: "0 3 2 * *" # At 03:00 on day-of-month 2 workflow_dispatch: -permissions: {} +permissions: + contents: read jobs: fetchToken: runs-on: ubuntu-latest From 431e51a22297eec54d5ba27980722a1893390f1a Mon Sep 17 00:00:00 2001 From: jamesmaa Date: Tue, 20 Aug 2024 16:11:33 -0700 Subject: [PATCH 2/4] Remove unnecessary perm --- .github/workflows/publish-edge.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/publish-edge.yml b/.github/workflows/publish-edge.yml index 57b263d774..88a4118cdf 100644 --- a/.github/workflows/publish-edge.yml +++ b/.github/workflows/publish-edge.yml @@ -8,8 +8,6 @@ jobs: environment: cd outputs: result: ${{ steps.webStorePublish.outcome }} - permissions: - actions: write steps: - uses: robinraju/release-downloader@a96f54c1b5f5e09e47d9504526e96febd949d4c2 # pin@v1.11 with: From 72d31ecb2e0f1ef49494698c04139274975a18e3 Mon Sep 17 00:00:00 2001 From: jamesmaa Date: Fri, 23 Aug 2024 11:06:51 -0600 Subject: [PATCH 3/4] Revert some changes --- .github/workflows/delay.yml | 3 +-- .github/workflows/playwright_comment.yml | 3 +-- .github/workflows/release.yml | 3 +-- .github/workflows/touch-google-refresh-token.yml | 3 +-- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/delay.yml b/.github/workflows/delay.yml index 189b91862f..e3859f262b 100644 --- a/.github/workflows/delay.yml +++ b/.github/workflows/delay.yml @@ -22,8 +22,7 @@ on: description: "Max attempts" required: false default: "10" -permissions: - contents: read +permissions: {} jobs: delay: runs-on: ubuntu-latest diff --git a/.github/workflows/playwright_comment.yml b/.github/workflows/playwright_comment.yml index e9e6a9d07d..f3017775f4 100644 --- a/.github/workflows/playwright_comment.yml +++ b/.github/workflows/playwright_comment.yml @@ -5,8 +5,7 @@ on: workflows: ["Playwright Tests"] types: - completed -permissions: - contents: read +permissions: {} jobs: playwright_comment: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6353484358..6a50e8c7f6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,8 +2,7 @@ name: release on: release: types: [released] -permissions: - contents: read +permissions: {} jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/touch-google-refresh-token.yml b/.github/workflows/touch-google-refresh-token.yml index 09399984a3..03b407513b 100644 --- a/.github/workflows/touch-google-refresh-token.yml +++ b/.github/workflows/touch-google-refresh-token.yml @@ -3,8 +3,7 @@ on: schedule: - cron: "0 3 2 * *" # At 03:00 on day-of-month 2 workflow_dispatch: -permissions: - contents: read +permissions: {} jobs: fetchToken: runs-on: ubuntu-latest From 9d2976e4822b331b09d9f81bc8fceab0c498b184 Mon Sep 17 00:00:00 2001 From: jamesmaa Date: Fri, 23 Aug 2024 11:15:44 -0600 Subject: [PATCH 4/4] Don't think we need the content write perm --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6a50e8c7f6..7a2adf38f2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,7 +8,6 @@ jobs: runs-on: ubuntu-latest permissions: actions: write - contents: write steps: - name: Dispatch publish-chrome uses: aurelien-baudet/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7 # pin@v2