From bd3f865c9ba317efb521eec6b4ac970549e2a946 Mon Sep 17 00:00:00 2001
From: Olaoluwa Ademola Salami <olaoluwaasalami@gmail.com>
Date: Wed, 24 Jan 2024 21:50:37 +0000
Subject: [PATCH] test permissions (#1264)

* test permissions

* test least permissions

* remove contents permissions

* testing permisions

* Update deploy-website.yml permission block

---------

Co-authored-by: Davor Runje <davor@airt.ai>
Co-authored-by: Eric Zhu <ekzhu@users.noreply.github.com>
Co-authored-by: Chi Wang <wang.chi@microsoft.com>
---
 .github/workflows/build.yml                                | 6 +++++-
 .github/workflows/contrib-openai.yml                       | 6 +++++-
 .github/workflows/contrib-tests.yml                        | 6 +++++-
 .github/workflows/deploy-website.yml                       | 7 ++++++-
 .github/workflows/dotnet-run-openai-test-and-notebooks.yml | 6 +++++-
 .github/workflows/openai.yml                               | 5 +++++
 .github/workflows/pre-commit.yml                           | 6 +++++-
 .github/workflows/python-package.yml                       | 6 +++++-
 8 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d809f8bd7398..e7c0e1aa7c2d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -19,7 +19,11 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
-
+permissions: {}
+    # actions: read
+  # checks: read
+  # contents: read
+  # deployments: read
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/contrib-openai.yml b/.github/workflows/contrib-openai.yml
index d885ff113456..f173055d7f94 100644
--- a/.github/workflows/contrib-openai.yml
+++ b/.github/workflows/contrib-openai.yml
@@ -11,7 +11,11 @@ on:
       - 'test/agentchat/contrib/**'
       - '.github/workflows/contrib-openai.yml'
       - 'setup.py'
-
+permissions: {}
+    # actions: read
+  # checks: read
+  # contents: read
+  # deployments: read
 jobs:
   RetrieveChatTest:
     strategy:
diff --git a/.github/workflows/contrib-tests.yml b/.github/workflows/contrib-tests.yml
index a60b8979a439..ceb19ebbef21 100644
--- a/.github/workflows/contrib-tests.yml
+++ b/.github/workflows/contrib-tests.yml
@@ -15,7 +15,11 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
-
+permissions: {}
+    # actions: read
+  # checks: read
+  # contents: read
+  # deployments: read
 jobs:
   RetrieveChatTest:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml
index 3571697ace21..9ca44150eed5 100644
--- a/.github/workflows/deploy-website.yml
+++ b/.github/workflows/deploy-website.yml
@@ -16,7 +16,12 @@ on:
   workflow_dispatch:
   merge_group:
     types: [checks_requested]
-
+permissions:
+  pages: write
+    # actions: read
+  # checks: read
+  # contents: read
+  # deployments: read
 jobs:
   checks:
     if: github.event_name != 'push'
diff --git a/.github/workflows/dotnet-run-openai-test-and-notebooks.yml b/.github/workflows/dotnet-run-openai-test-and-notebooks.yml
index 687b474afd63..2a2c97188abe 100644
--- a/.github/workflows/dotnet-run-openai-test-and-notebooks.yml
+++ b/.github/workflows/dotnet-run-openai-test-and-notebooks.yml
@@ -7,7 +7,11 @@ on:
       - 'dotnet/**'
 env:
   BUILD_CONFIGURATION: Release    # set this to the appropriate build configuration
-
+permissions: {}
+    # actions: read
+  # checks: read
+  # contents: read
+  # deployments: read
 jobs:
   build:
     environment: dotnet
diff --git a/.github/workflows/openai.yml b/.github/workflows/openai.yml
index e1ce5a363d90..260f687803df 100644
--- a/.github/workflows/openai.yml
+++ b/.github/workflows/openai.yml
@@ -12,6 +12,11 @@ on:
       - "notebook/agentchat_auto_feedback_from_code_execution.ipynb"
       - "notebook/agentchat_function_call.ipynb"
       - ".github/workflows/openai.yml"
+permissions: {}
+    # actions: read
+  # checks: read
+  # contents: read
+  # deployments: read
 
 jobs:
   test:
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index 70ff6009979b..18b23afd18e3 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -9,7 +9,11 @@ on:  # Trigger the workflow on pull request or merge
 defaults:
   run:
     shell: bash
-
+permissions: {}
+    # actions: read
+  # checks: read
+  # contents: read
+  # deployments: read
 jobs:
 
   pre-commit-check:
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 067dd9115d97..4f57c10ef706 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -7,7 +7,11 @@ name: python-package
 on:
   release:
     types: [published]
-
+permissions: {}
+  # actions: read
+  # checks: read
+  # contents: read
+  # deployments: read
 jobs:
   deploy:
     strategy: