From f630528b00dee112b6f002f7ae5c0f25faeacc81 Mon Sep 17 00:00:00 2001 From: "brian m. carlson" Date: Tue, 22 Oct 2024 17:52:57 +0000 Subject: [PATCH] workflow: set restricted permissions If no explicit permissions are set for a GitHub Actions run, then the repository or organization permissions are used, which can be too broad. Let's specifically set the permissions to read-only for the contents of the repository, since we only need to clone and test our code. That way, we'll be taking advantage of the principle of least privilege. --- .github/workflows/go-test.yml | 3 +++ .github/workflows/golangci-lint.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml index d2c2f8a..f1d7507 100644 --- a/.github/workflows/go-test.yml +++ b/.github/workflows/go-test.yml @@ -1,5 +1,8 @@ name: go test +permissions: + contents: read + on: push: diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index de79989..53963ad 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -1,5 +1,8 @@ name: golangci-lint +permissions: + contents: read + on: push: