diff --git a/.github/workflows/deploy-main.yml b/.github/workflows/deploy-main.yml index 7fa942b184..8d7cff867e 100644 --- a/.github/workflows/deploy-main.yml +++ b/.github/workflows/deploy-main.yml @@ -7,6 +7,9 @@ on: "release/*", ] +# Set default minimum permissions to prevent unnecessary access +permissions: {} + env: CI: 1 TURBO_TELEMETRY_DISABLED: 1 @@ -18,6 +21,9 @@ jobs: build: runs-on: ubuntu-latest if: github.repository == 'lynx-family/lynx-stack' + permissions: + contents: read + actions: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: @@ -55,11 +61,13 @@ jobs: cancel-in-progress: true uses: ./.github/workflows/workflow-build.yml if: github.repository == 'lynx-family/lynx-stack' + permissions: {} secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} benchmark: needs: build-all uses: ./.github/workflows/workflow-bench.yml + permissions: {} bundle-analysis: permissions: {} needs: build-all @@ -125,7 +133,7 @@ jobs: id: date run: echo "::set-output name=date::$(date -u +'%Y-%m-%d %H:%M:%S')" - name: attempt to release - uses: changesets/action@v1 + uses: changesets/action@e0538e686673de0265c8a3e2904b8c76beaa43fd # v1.5.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} @@ -184,6 +192,7 @@ jobs: needs: build-all if: github.repository == 'lynx-family/lynx-stack' uses: ./.github/workflows/workflow-website.yml + permissions: {} website-deploy: needs: website-build if: github.repository == 'lynx-family/lynx-stack' @@ -192,6 +201,7 @@ jobs: permissions: pages: write # to deploy to Pages id-token: write # to verify the deployment originates from an appropriate source + contents: read # Deploy to the github-pages environment environment: diff --git a/.github/workflows/nodejs-dependencies.yml b/.github/workflows/nodejs-dependencies.yml index fed24dc0ef..7ada76b3f7 100644 --- a/.github/workflows/nodejs-dependencies.yml +++ b/.github/workflows/nodejs-dependencies.yml @@ -7,6 +7,10 @@ name: NodeJS Dependencies - package.json - pnpm-lock.yaml - "**/package.json" + +# Set minimum permissions to prevent unnecessary access +permissions: {} + env: CI: 1 TURBO_TELEMETRY_DISABLED: 1 @@ -16,6 +20,8 @@ concurrency: jobs: sherif: runs-on: lynx-ubuntu-24.04-medium + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index d804392a6f..62cb1f50cb 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -9,6 +9,9 @@ on: CODECOV_TOKEN: required: true +# Set minimum permissions to prevent unnecessary access +permissions: {} + env: CI: 1 TURBO_TELEMETRY_DISABLED: 1 @@ -18,6 +21,8 @@ concurrency: jobs: test: runs-on: lynx-ubuntu-24.04-xlarge + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: @@ -46,6 +51,8 @@ jobs: rustfmt: runs-on: lynx-ubuntu-24.04-medium + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 5e8d8bca93..36fb2c55df 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -3,9 +3,15 @@ on: schedule: - cron: "30 17 * * *" +# Set minimum permissions to prevent unnecessary access +permissions: {} + jobs: stale: runs-on: ubuntu-latest + permissions: + issues: write # Need write permission to mark and close stale issues + pull-requests: write # Need write permission to mark and close stale PRs steps: - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 if: github.repository == 'lynx-family/lynx-stack' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 895099e26f..a2c2ebeca9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,6 +11,7 @@ permissions: repository-projects: read contents: read statuses: read + env: CI: 1 TURBO_TELEMETRY_DISABLED: 1 @@ -58,8 +59,6 @@ jobs: needs: build uses: ./.github/workflows/workflow-test.yml permissions: - contents: read - pull-requests: read statuses: write secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} @@ -73,6 +72,7 @@ jobs: playwright-linux: needs: build uses: ./.github/workflows/workflow-test.yml + secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -87,6 +87,7 @@ jobs: playwright-linux-all-on-ui: needs: build uses: ./.github/workflows/workflow-test.yml + secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -102,6 +103,7 @@ jobs: test-api: needs: build uses: ./.github/workflows/workflow-test.yml + with: runs-on: lynx-ubuntu-24.04-medium run: | @@ -126,10 +128,6 @@ jobs: test-publish: needs: build uses: ./.github/workflows/workflow-test.yml - permissions: - contents: read - pull-requests: read - statuses: read with: runs-on: lynx-ubuntu-24.04-medium run: | diff --git a/.github/workflows/workflow-test.yml b/.github/workflows/workflow-test.yml index 96650c34b7..dd727122d2 100644 --- a/.github/workflows/workflow-test.yml +++ b/.github/workflows/workflow-test.yml @@ -12,6 +12,7 @@ on: run: required: true type: string + description: "Command run parameters, limited to predefined test commands" is-web: required: false type: boolean @@ -21,12 +22,16 @@ on: type: string default: "unittest" +# Set minimum permissions to prevent unnecessary access +permissions: {} + env: CI: 1 TURBO_TELEMETRY_DISABLED: 1 jobs: check: runs-on: ${{ inputs.runs-on }} + permissions: {} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: