Make GitHub Actions to be read-only

buo / homebrew-cask-upgrade

A command line tool for upgrading every outdated app installed by Homebrew Cask

MIT License

2.39k stars 89 forks source link

Make GitHub Actions to be read-only #216

Closed yurikoles closed 1 year ago

yurikoles commented 1 year ago

Make GitHub Actions to be read-only[0].

[0]https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Signed-off-by: Yurii Kolesnykov root@yurikoles.com

yurikoles commented 1 year ago

By default, GHA uses token with write access to some of repo's scopes, so limiting it to a necessary minimum is a good practice.

ondrejfuhrer commented 1 year ago

@yurikoles that makes sense. Just wasn't sure exactly what does it affect 🙂

yurikoles commented 1 year ago

Oh, I forgot to post a proof, so before this PR GHA logged in Set up job:

GITHUB_TOKEN Permissions
  Actions: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

After:

GITHUB_TOKEN Permissions
  Contents: read
  Metadata: read