Admins will be upgrading ORNL GitLab Servers on Saturday, 16 May 2026, from 7 AM until 11 AM EST. Repositories will experience intermittent outages during this time.

Commit 6b8ce4ae authored Oct 26, 2024 by Silvan Mosberger

workflows: Fix security issues



read-all permissions gives access to e.g. security-events, which these
don't need, and can easily lead to leaks

Co-Authored-By: 13x1 <tori@disroot.org>
Co-Authored-By: basti564 <e3e@disroot.org>

parent 59aee1ca

.github/workflows/codeowners.yml

+3 −0

Original line number	Diff line number	Diff line
		@@ -24,6 +24,9 @@ on:
		pull_request_target:
		types: [opened, ready_for_review, synchronize, reopened, edited]

		# We don't need any default GitHub token
		permissions: {}

		env:
		OWNERS_FILE: ci/OWNERS
		# Don't do anything on draft PRs

.github/workflows/editorconfig.yml

+3 −1

Original line number	Diff line number	Diff line
		name: "Checking EditorConfig"

		permissions: read-all
		permissions:
		pull-requests: read
		contents: read

		on:
		# avoids approving first time contributors

.github/workflows/manual-nixos.yml

+2 −1

Original line number	Diff line number	Diff line
		name: "Build NixOS manual"

		permissions: read-all
		permissions:
		contents: read

		on:
		pull_request_target:

.github/workflows/manual-nixpkgs.yml

+2 −1

Original line number	Diff line number	Diff line
		name: "Build Nixpkgs manual"

		permissions: read-all
		permissions:
		contents: read

		on:
		pull_request_target:

.github/workflows/nix-parse.yml

+3 −1

Original line number	Diff line number	Diff line
		name: "Check whether nix files are parseable"

		permissions: read-all
		permissions:
		pull-requests: read
		contents: read

		on:
		# avoids approving first time contributors