chore: Set permissions for GitHub actions (#2334)

nathannaveen · Uzlopak · web-flow · commit 3fc5cc34fb95 · 2023-10-30T18:40:14.000+01:00
* chore: Set permissions for GitHub actions Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: nathannaveen <42319948+nathannaveen@users.noreply.github.com> * fix ci --------- Signed-off-by: nathannaveen <42319948+nathannaveen@users.noreply.github.com> Co-authored-by: Aras Abbasi <aras.abbasi@googlemail.com>
diff --git a/.github/workflows/continuous-integration.yaml b/.github/workflows/continuous-integration.yaml
@@ -7,6 +7,9 @@ name: Continuous Integration
   push:
     branches:
       - main
+permissions:
+  contents: read
+
 jobs:
   format:
     name: Format
@@ -36,7 +39,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: 16
+          node-version: lts/*
           cache: 'npm'
       - name: Install dependencies
         run: npm ci --ignore-scripts --no-audit --no-progress --prefer-offline
@@ -53,7 +56,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: 16
+          node-version: lts/*
           cache: 'npm'
       - name: Install dependencies
         run: npm ci --ignore-scripts --no-audit --no-progress --prefer-offline
diff --git a/.github/workflows/fix-formatting.yaml b/.github/workflows/fix-formatting.yaml
@@ -5,8 +5,13 @@ name: Fix formatting
       - dependabot/npm_and_yarn/prettier-*
       - dependabot/npm_and_yarn/eslint-*
   workflow_dispatch: {}
+permissions:
+  contents: read
+
 jobs:
   fixFormatting:
+    permissions:
+      contents: write # for Git to git push
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
