From 8b8c1148c9330d792e9acd36026808aa78de3544 Mon Sep 17 00:00:00 2001 From: Qingyu Wang <40660121+colinaaa@users.noreply.github.com> Date: Sat, 17 May 2025 21:28:30 +0800 Subject: [PATCH 1/6] ci: set default minimum permissions --- .github/workflows/deploy-main.yml | 14 +++++++++++++- .github/workflows/nodejs-dependencies.yml | 6 ++++++ .github/workflows/rust.yml | 8 ++++++++ .github/workflows/stale.yml | 6 ++++++ .github/workflows/workflow-test.yml | 18 +++++++++++++++++- 5 files changed, 50 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-main.yml b/.github/workflows/deploy-main.yml index 7fa942b184..2246c9f674 100644 --- a/.github/workflows/deploy-main.yml +++ b/.github/workflows/deploy-main.yml @@ -7,6 +7,10 @@ on: "release/*", ] +# Set default minimum permissions to prevent unnecessary access +permissions: {} + + env: CI: 1 TURBO_TELEMETRY_DISABLED: 1 @@ -18,6 +22,9 @@ jobs: build: runs-on: ubuntu-latest if: github.repository == 'lynx-family/lynx-stack' + permissions: + contents: read + actions: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: @@ -55,11 +62,13 @@ jobs: cancel-in-progress: true uses: ./.github/workflows/workflow-build.yml if: github.repository == 'lynx-family/lynx-stack' + permissions: {} secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} benchmark: needs: build-all uses: ./.github/workflows/workflow-bench.yml + permissions: {} bundle-analysis: permissions: {} needs: build-all @@ -69,6 +78,7 @@ jobs: needs: build-all uses: ./.github/workflows/workflow-test.yml if: github.repository == 'lynx-family/lynx-stack' + permissions: {} secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -125,7 +135,7 @@ jobs: id: date run: echo "::set-output name=date::$(date -u +'%Y-%m-%d %H:%M:%S')" - name: attempt to release - uses: changesets/action@v1 + uses: changesets/action@e0538e686673de0265c8a3e2904b8c76beaa43fd # v1.5.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} @@ -184,6 +194,7 @@ jobs: needs: build-all if: github.repository == 'lynx-family/lynx-stack' uses: ./.github/workflows/workflow-website.yml + permissions: {} website-deploy: needs: website-build if: github.repository == 'lynx-family/lynx-stack' @@ -192,6 +203,7 @@ jobs: permissions: pages: write # to deploy to Pages id-token: write # to verify the deployment originates from an appropriate source + contents: read # Deploy to the github-pages environment environment: diff --git a/.github/workflows/nodejs-dependencies.yml b/.github/workflows/nodejs-dependencies.yml index fed24dc0ef..7ada76b3f7 100644 --- a/.github/workflows/nodejs-dependencies.yml +++ b/.github/workflows/nodejs-dependencies.yml @@ -7,6 +7,10 @@ name: NodeJS Dependencies - package.json - pnpm-lock.yaml - "**/package.json" + +# Set minimum permissions to prevent unnecessary access +permissions: {} + env: CI: 1 TURBO_TELEMETRY_DISABLED: 1 @@ -16,6 +20,8 @@ concurrency: jobs: sherif: runs-on: lynx-ubuntu-24.04-medium + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index d804392a6f..a8609bf5a8 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -9,6 +9,10 @@ on: CODECOV_TOKEN: required: true +# Set minimum permissions to prevent unnecessary access +permissions: {} + + env: CI: 1 TURBO_TELEMETRY_DISABLED: 1 @@ -18,6 +22,8 @@ concurrency: jobs: test: runs-on: lynx-ubuntu-24.04-xlarge + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: @@ -46,6 +52,8 @@ jobs: rustfmt: runs-on: lynx-ubuntu-24.04-medium + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 5e8d8bca93..36fb2c55df 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -3,9 +3,15 @@ on: schedule: - cron: "30 17 * * *" +# Set minimum permissions to prevent unnecessary access +permissions: {} + jobs: stale: runs-on: ubuntu-latest + permissions: + issues: write # Need write permission to mark and close stale issues + pull-requests: write # Need write permission to mark and close stale PRs steps: - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 if: github.repository == 'lynx-family/lynx-stack' diff --git a/.github/workflows/workflow-test.yml b/.github/workflows/workflow-test.yml index 96650c34b7..d75cdc8001 100644 --- a/.github/workflows/workflow-test.yml +++ b/.github/workflows/workflow-test.yml @@ -12,6 +12,7 @@ on: run: required: true type: string + description: "Command run parameters, limited to predefined test commands" is-web: required: false type: boolean @@ -21,12 +22,19 @@ on: type: string default: "unittest" +# Set minimum permissions to prevent unnecessary access +permissions: {} + env: CI: 1 TURBO_TELEMETRY_DISABLED: 1 jobs: check: runs-on: ${{ inputs.runs-on }} + permissions: + contents: read + checks: write # For test result reports + pull-requests: read # For PR related information steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: @@ -63,7 +71,15 @@ jobs: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} LHCI_GITHUB_APP_TOKEN: ${{ secrets.LHCI_GITHUB_APP_TOKEN }} - run: ${{ inputs.run }} + # Run commands in a secure way to avoid code injection + run: | + # Validate if the input command matches the expected format + if [[ "${{ inputs.run }}" =~ ^pnpm\ run\ test.*$ ]]; then + ${{ inputs.run }} + else + echo "Error: Disallowed command format. Only commands starting with 'pnpm run test' are allowed." + exit 1 + fi - name: Upload coverage reports to Codecov uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5 with: From 03778e26260ec2e8fb951a6640c9ec9952d1a2f4 Mon Sep 17 00:00:00 2001 From: Qingyu Wang <40660121+colinaaa@users.noreply.github.com> Date: Sat, 17 May 2025 21:43:31 +0800 Subject: [PATCH 2/6] fix: add `checks: write` --- .github/workflows/deploy-main.yml | 4 ++-- .github/workflows/test.yml | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-main.yml b/.github/workflows/deploy-main.yml index 2246c9f674..d96707bf59 100644 --- a/.github/workflows/deploy-main.yml +++ b/.github/workflows/deploy-main.yml @@ -10,7 +10,6 @@ on: # Set default minimum permissions to prevent unnecessary access permissions: {} - env: CI: 1 TURBO_TELEMETRY_DISABLED: 1 @@ -78,7 +77,8 @@ jobs: needs: build-all uses: ./.github/workflows/workflow-test.yml if: github.repository == 'lynx-family/lynx-stack' - permissions: {} + permissions: + checks: write secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 895099e26f..7f7ff13e6d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,6 +11,7 @@ permissions: repository-projects: read contents: read statuses: read + env: CI: 1 TURBO_TELEMETRY_DISABLED: 1 @@ -58,6 +59,7 @@ jobs: needs: build uses: ./.github/workflows/workflow-test.yml permissions: + checks: write contents: read pull-requests: read statuses: write @@ -73,6 +75,8 @@ jobs: playwright-linux: needs: build uses: ./.github/workflows/workflow-test.yml + permissions: + checks: write secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -87,6 +91,8 @@ jobs: playwright-linux-all-on-ui: needs: build uses: ./.github/workflows/workflow-test.yml + permissions: + checks: write secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -102,6 +108,8 @@ jobs: test-api: needs: build uses: ./.github/workflows/workflow-test.yml + permissions: + checks: write with: runs-on: lynx-ubuntu-24.04-medium run: | @@ -127,6 +135,7 @@ jobs: needs: build uses: ./.github/workflows/workflow-test.yml permissions: + checks: write contents: read pull-requests: read statuses: read @@ -156,6 +165,8 @@ jobs: test-react: needs: build uses: ./.github/workflows/workflow-test.yml + permissions: + checks: write secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -184,6 +195,8 @@ jobs: test-type: needs: build uses: ./.github/workflows/workflow-test.yml + permissions: + checks: write secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -192,6 +205,8 @@ jobs: test-vitest: needs: build uses: ./.github/workflows/workflow-test.yml + permissions: + checks: write secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: From 2c609c2159004b1e9cee1b60ab4f4ac2e845937d Mon Sep 17 00:00:00 2001 From: Qingyu Wang <40660121+colinaaa@users.noreply.github.com> Date: Sat, 17 May 2025 21:50:52 +0800 Subject: [PATCH 3/6] ci(workflows): add read permissions for contents and pull-requests This commit adds 'contents: read' and 'pull-requests: read' permissions to multiple jobs in the GitHub workflows. These permissions are necessary to ensure the workflows can access repository contents and pull request data, which is essential for their proper execution. --- .github/workflows/deploy-main.yml | 2 ++ .github/workflows/test.yml | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/.github/workflows/deploy-main.yml b/.github/workflows/deploy-main.yml index d96707bf59..005a7a6746 100644 --- a/.github/workflows/deploy-main.yml +++ b/.github/workflows/deploy-main.yml @@ -79,6 +79,8 @@ jobs: if: github.repository == 'lynx-family/lynx-stack' permissions: checks: write + contents: read + pull-requests: read secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7f7ff13e6d..b03f7f52ab 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -77,6 +77,8 @@ jobs: uses: ./.github/workflows/workflow-test.yml permissions: checks: write + contents: read + pull-requests: read secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -93,6 +95,8 @@ jobs: uses: ./.github/workflows/workflow-test.yml permissions: checks: write + contents: read + pull-requests: read secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -110,6 +114,8 @@ jobs: uses: ./.github/workflows/workflow-test.yml permissions: checks: write + contents: read + pull-requests: read with: runs-on: lynx-ubuntu-24.04-medium run: | @@ -167,6 +173,8 @@ jobs: uses: ./.github/workflows/workflow-test.yml permissions: checks: write + contents: read + pull-requests: read secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -197,6 +205,8 @@ jobs: uses: ./.github/workflows/workflow-test.yml permissions: checks: write + contents: read + pull-requests: read secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -207,6 +217,8 @@ jobs: uses: ./.github/workflows/workflow-test.yml permissions: checks: write + contents: read + pull-requests: read secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: From eac7777caa2831811bcc769226d550809160dfb1 Mon Sep 17 00:00:00 2001 From: Qingyu Wang <40660121+colinaaa@users.noreply.github.com> Date: Sat, 17 May 2025 21:53:07 +0800 Subject: [PATCH 4/6] fix: format --- .github/workflows/rust.yml | 1 - .github/workflows/workflow-test.yml | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index a8609bf5a8..62cb1f50cb 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -12,7 +12,6 @@ on: # Set minimum permissions to prevent unnecessary access permissions: {} - env: CI: 1 TURBO_TELEMETRY_DISABLED: 1 diff --git a/.github/workflows/workflow-test.yml b/.github/workflows/workflow-test.yml index d75cdc8001..bc40f3b1ad 100644 --- a/.github/workflows/workflow-test.yml +++ b/.github/workflows/workflow-test.yml @@ -33,8 +33,8 @@ jobs: runs-on: ${{ inputs.runs-on }} permissions: contents: read - checks: write # For test result reports - pull-requests: read # For PR related information + checks: write # For test result reports + pull-requests: read # For PR related information steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: From cf09b7732e80eb8012c5284095d7b4ae1de0ca69 Mon Sep 17 00:00:00 2001 From: Qingyu Wang <40660121+colinaaa@users.noreply.github.com> Date: Sat, 17 May 2025 22:08:57 +0800 Subject: [PATCH 5/6] ci: fix test --- .github/workflows/workflow-test.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/workflows/workflow-test.yml b/.github/workflows/workflow-test.yml index bc40f3b1ad..f26c6bf8d2 100644 --- a/.github/workflows/workflow-test.yml +++ b/.github/workflows/workflow-test.yml @@ -71,15 +71,7 @@ jobs: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} LHCI_GITHUB_APP_TOKEN: ${{ secrets.LHCI_GITHUB_APP_TOKEN }} - # Run commands in a secure way to avoid code injection - run: | - # Validate if the input command matches the expected format - if [[ "${{ inputs.run }}" =~ ^pnpm\ run\ test.*$ ]]; then - ${{ inputs.run }} - else - echo "Error: Disallowed command format. Only commands starting with 'pnpm run test' are allowed." - exit 1 - fi + run: ${{ inputs.run }} - name: Upload coverage reports to Codecov uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5 with: From 14351bc67ed34b871fa2dd8e49a6ddb94f955639 Mon Sep 17 00:00:00 2001 From: Qingyu Wang <40660121+colinaaa@users.noreply.github.com> Date: Sat, 17 May 2025 22:12:13 +0800 Subject: [PATCH 6/6] fix: permission --- .github/workflows/deploy-main.yml | 4 ---- .github/workflows/test.yml | 35 +++-------------------------- .github/workflows/workflow-test.yml | 5 +---- 3 files changed, 4 insertions(+), 40 deletions(-) diff --git a/.github/workflows/deploy-main.yml b/.github/workflows/deploy-main.yml index 005a7a6746..8d7cff867e 100644 --- a/.github/workflows/deploy-main.yml +++ b/.github/workflows/deploy-main.yml @@ -77,10 +77,6 @@ jobs: needs: build-all uses: ./.github/workflows/workflow-test.yml if: github.repository == 'lynx-family/lynx-stack' - permissions: - checks: write - contents: read - pull-requests: read secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b03f7f52ab..a2c2ebeca9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -59,9 +59,6 @@ jobs: needs: build uses: ./.github/workflows/workflow-test.yml permissions: - checks: write - contents: read - pull-requests: read statuses: write secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} @@ -75,10 +72,7 @@ jobs: playwright-linux: needs: build uses: ./.github/workflows/workflow-test.yml - permissions: - checks: write - contents: read - pull-requests: read + secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -93,10 +87,7 @@ jobs: playwright-linux-all-on-ui: needs: build uses: ./.github/workflows/workflow-test.yml - permissions: - checks: write - contents: read - pull-requests: read + secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -112,10 +103,7 @@ jobs: test-api: needs: build uses: ./.github/workflows/workflow-test.yml - permissions: - checks: write - contents: read - pull-requests: read + with: runs-on: lynx-ubuntu-24.04-medium run: | @@ -140,11 +128,6 @@ jobs: test-publish: needs: build uses: ./.github/workflows/workflow-test.yml - permissions: - checks: write - contents: read - pull-requests: read - statuses: read with: runs-on: lynx-ubuntu-24.04-medium run: | @@ -171,10 +154,6 @@ jobs: test-react: needs: build uses: ./.github/workflows/workflow-test.yml - permissions: - checks: write - contents: read - pull-requests: read secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -203,10 +182,6 @@ jobs: test-type: needs: build uses: ./.github/workflows/workflow-test.yml - permissions: - checks: write - contents: read - pull-requests: read secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -215,10 +190,6 @@ jobs: test-vitest: needs: build uses: ./.github/workflows/workflow-test.yml - permissions: - checks: write - contents: read - pull-requests: read secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: diff --git a/.github/workflows/workflow-test.yml b/.github/workflows/workflow-test.yml index f26c6bf8d2..dd727122d2 100644 --- a/.github/workflows/workflow-test.yml +++ b/.github/workflows/workflow-test.yml @@ -31,10 +31,7 @@ env: jobs: check: runs-on: ${{ inputs.runs-on }} - permissions: - contents: read - checks: write # For test result reports - pull-requests: read # For PR related information + permissions: {} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: