1
0
mirror of https://github.com/pi-hole/pi-hole synced 2024-12-22 14:58:08 +00:00

build: harden workflow permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
This commit is contained in:
Alex 2022-12-08 20:00:33 +02:00 committed by sashashura
parent 0034538794
commit ddf972cede
No known key found for this signature in database
GPG Key ID: 493F722E6CDD0700

View File

@ -5,8 +5,30 @@ on:
branches:
- master
# The section is needed to drop the default write-all permissions for all jobs
# that are granted on `push` event. By specifying any permission explicitly
# all others are set to none. By using the principle of least privilege the damage a compromised
# workflow can do (because of an injection or compromised third party tool or
# action) is restricted. Adding labels to issues, commenting
# on pull-requests, etc. may need additional permissions:
#
# Syntax for this section:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
#
# Reference for how to assign permissions on a job-by-job basis:
# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
#
# Reference for available permissions that we can enable if needed:
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
permissions: {}
jobs:
sync-branches:
# The job needs to be able to pull the code and create a pull request.
permissions:
contents: read # for actions/checkout
pull-requests: write # to create pull request
runs-on: ubuntu-latest
name: Syncing branches
steps: