Restricted GHA token permissions to minimum required

v7labs · Aug 22, 2024 · 33722ec · 33722ec
1 parent 2ff3437
commit 33722ec
Show file tree

Hide file tree

Showing 9 changed files with 32 additions and 9 deletions.
diff --git a/.github/workflows/EVENT_merge_to_master.yml b/.github/workflows/EVENT_merge_to_master.yml
@@ -8,7 +8,7 @@ on:
   workflow_call:
 
 permissions:
-  contents: write
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -41,6 +41,9 @@ jobs:
     if: ${{ success() }}
     name: Success
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      statuses: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1

diff --git a/.github/workflows/EVENT_pull_request.yml b/.github/workflows/EVENT_pull_request.yml
@@ -18,28 +18,38 @@ jobs:
   get_changed_files:
     name: Get changed files
     uses: ./.github/workflows/JOB_get_changed_files.yml
+    permissions:
+      contents: read
 
   format:
     name: Check format of python
     needs: get_changed_files
     uses: ./.github/workflows/JOB_format.yml
     with:
       files: ${{ needs.get_changed_files.outputs.python_changed_files }}
+    permissions:
+      contents: read
 
   lint:
     name: Lint python
     needs: get_changed_files
     uses: ./.github/workflows/JOB_lint.yml
     with:
       files: ${{ needs.get_changed_files.outputs.python_changed_files }}
+    permissions:
+      contents: read
 
   # typecheck:
   #   name: Analyse types in python
   #   needs: get_changed_files
   #   uses: ./.github/workflows/JOB_typecheck.yml
   #   with:
   #     files: ${{ needs.get_changed_files.outputs.python_changed_files }}
+  #   permissions:
+  #     contents: read
 
   run_tests:
     name: Run tests
     uses: ./.github/workflows/JOB_tests.yml
+    permissions:
+      contents: read
diff --git a/.github/workflows/EVENT_release.yml b/.github/workflows/EVENT_release.yml
@@ -23,7 +23,7 @@ on:
         required: false
 
 permissions:
-  contents: write
+  contents: read
 
 env:
   release_id: ${{ inputs.release_id || github.event.release.id }}
@@ -34,6 +34,8 @@ env:
 jobs:
   validate_tag:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
@@ -73,6 +75,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
+      contents: write
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
@@ -101,6 +104,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
+      contents: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1

diff --git a/.github/workflows/EVENT_tag.yml b/.github/workflows/EVENT_tag.yml
@@ -21,6 +21,8 @@ jobs:
   create_release:
     name: Create Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
@@ -41,4 +43,3 @@ jobs:
           release_name: ${{ github.ref }}
           draft: true
           prerelease: false
-
diff --git a/.github/workflows/EVENT_update-linear-labels.yml b/.github/workflows/EVENT_update-linear-labels.yml
@@ -13,6 +13,8 @@ jobs:
     if: github.ref_name != 'master' && !github.event.pull_request.head.repo.fork
     name: Update Linear
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1

diff --git a/.github/workflows/JOB_check-master-can-release.yml b/.github/workflows/JOB_check-master-can-release.yml
@@ -10,6 +10,8 @@ permissions:
 jobs:
   check-master-can-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
@@ -51,4 +53,3 @@ jobs:
             if (commits.length === 0) {
               throw new Error('No commits in master since last release');
             }
-
diff --git a/.github/workflows/JOB_e2e.yml b/.github/workflows/JOB_e2e.yml
@@ -21,6 +21,8 @@ on:
 jobs:
   e2e:
     name: End to End Testing
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -62,6 +64,8 @@ jobs:
     name: Slack Notifier Bot
     needs: e2e
     if: failure() && github.event_name == 'schedule'
+    permissions:
+      contents: read
     uses: ./.github/workflows/JOB_slack_message.yml
     with:
       message: |

diff --git a/.github/workflows/JOB_lint.yml b/.github/workflows/JOB_lint.yml
@@ -16,6 +16,8 @@ jobs:
   lint:
     if: ${{ inputs.files != '' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - name: Harden Runner
       uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1

diff --git a/deploy/_filter_files.py b/deploy/_filter_files.py
@@ -11,11 +11,7 @@ def main(argv: List[str]) -> None:
     if file_extension.startswith("."):
         file_extension = file_extension[1:]
 
-    files_out = [
-        file
-        for file in files_in
-        if file.endswith(f".{file_extension}") and "future" in file
-    ]
+    files_out = [file for file in files_in if file.endswith(f".{file_extension}")]
 
     print(" ".join(files_out))