From 68ad4b5c30b11a074e2238fcc5d5ff939eb979b9 Mon Sep 17 00:00:00 2001 From: yasnagat Date: Sun, 31 May 2026 21:27:44 -0300 Subject: [PATCH] chore: apply least privilege permissions to github actions --- .github/workflows/build.yml | 7 ++++--- .github/workflows/golangci-lint.yml | 7 ++++--- .github/workflows/promote.yml | 4 ++++ 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7718cad..f50f01e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,15 +8,15 @@ on: - main pull_request: -permissions: - contents: read - pull-requests: read +permissions: {} env: __W_SRC_REL: go/src/github.com/RocketChat/airlock jobs: build: name: Build and test runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: platform: [linux/amd64, linux/arm64] @@ -72,6 +72,7 @@ jobs: needs: [build] name: Join platform tags runs-on: ubuntu-latest + permissions: {} steps: - name: Login to Docker Registry uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index cb80d5f..1a53bdf 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -8,13 +8,14 @@ on: - master - main pull_request: -permissions: - contents: read - pull-requests: read +permissions: {} jobs: golangci: name: lint runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read steps: - uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3.6.1 with: diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml index faad793..38eddae 100644 --- a/.github/workflows/promote.yml +++ b/.github/workflows/promote.yml @@ -7,9 +7,13 @@ on: - main - develop +permissions: {} + jobs: promote: runs-on: ubuntu-latest + permissions: + contents: read env: CLOUD_OPS_REPO: RocketChat/cloud-ops IMAGE_NAME: airlock