diff options
author | StepSecurity Bot <bot@stepsecurity.io> | 2022-11-25 11:14:05 +0000 |
---|---|---|
committer | Hiroshi SHIBATA <hsbt@ruby-lang.org> | 2022-11-28 11:42:40 +0900 |
commit | 595f3063f01ce25122b6d1ae452720b0ec58e86d (patch) | |
tree | 4b5bab45c4b2d26faa5dbb421030375dd148dbe4 /.github | |
parent | e3de7230434d5c78cc06d40893b5d7cf41e7e89c (diff) |
[StepSecurity] ci: Harden GitHub Actions
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Notes
Notes:
Merged: https://github.com/ruby/ruby/pull/6811
Diffstat (limited to '.github')
-rw-r--r-- | .github/workflows/bundled_gems.yml | 5 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 7 | ||||
-rw-r--r-- | .github/workflows/wasm.yml | 3 |
3 files changed, 15 insertions, 0 deletions
diff --git a/.github/workflows/bundled_gems.yml b/.github/workflows/bundled_gems.yml index 034327b356..942988c7d8 100644 --- a/.github/workflows/bundled_gems.yml +++ b/.github/workflows/bundled_gems.yml @@ -13,8 +13,13 @@ on: - cron: '45 6 * * *' workflow_dispatch: +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: update: + permissions: + contents: write # for Git to git push if: ${{ github.event_name != 'schedule' || github.repository == 'ruby/ruby' }} name: update ${{ github.workflow }} runs-on: ubuntu-latest diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 114f4220a9..fc0e18b57f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -24,10 +24,17 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: CodeQL-Build: # CodeQL runs on ubuntu-latest and windows-latest + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report runs-on: ubuntu-latest # CodeQL fails to run pull requests from dependabot due to missing write access to upload results. if: ${{ !contains(github.event.head_commit.message, '[DOC]') && !contains(github.event.pull_request.labels.*.name, 'Documentation') && github.event.head_commit.pusher.name != 'dependabot[bot]' }} diff --git a/.github/workflows/wasm.yml b/.github/workflows/wasm.yml index 28c043b787..3114078256 100644 --- a/.github/workflows/wasm.yml +++ b/.github/workflows/wasm.yml @@ -21,6 +21,9 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: make: strategy: |