You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by rv...@apache.org on 2022/04/11 08:38:54 UTC
[jena] branch main updated: Set permissions for GitHub actions
This is an automated email from the ASF dual-hosted git repository.
rvesse pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/jena.git
The following commit(s) were added to refs/heads/main by this push:
new 2ac1a94e9f Set permissions for GitHub actions
new 3956004108 Merge pull request #1255 from turrisxyz/naveen/feat/set-perms-actions
2ac1a94e9f is described below
commit 2ac1a94e9f4ed5625b586828cc0d8541df6e137e
Author: neilnaveen <42...@users.noreply.github.com>
AuthorDate: Mon Apr 11 01:10:31 2022 +0000
Set permissions for GitHub actions
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
Signed-off-by: neilnaveen <42...@users.noreply.github.com>
---
.github/workflows/maven.yml | 3 +++
.github/workflows/maven_macos.yml | 3 +++
.github/workflows/maven_windows.yml | 3 +++
3 files changed, 9 insertions(+)
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index 175fffe285..a7c379faf5 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -9,6 +9,9 @@ on: workflow_dispatch
# pull_request:
# branches: [ main ]
+permissions:
+ contents: read
+
jobs:
build:
diff --git a/.github/workflows/maven_macos.yml b/.github/workflows/maven_macos.yml
index 9b4caee41a..1678c3a59f 100644
--- a/.github/workflows/maven_macos.yml
+++ b/.github/workflows/maven_macos.yml
@@ -3,6 +3,9 @@
name: Apache Jena CI (MacOS)
on: workflow_dispatch
+permissions:
+ contents: read
+
jobs:
build:
diff --git a/.github/workflows/maven_windows.yml b/.github/workflows/maven_windows.yml
index 9e4bc2702e..98e5da2b79 100644
--- a/.github/workflows/maven_windows.yml
+++ b/.github/workflows/maven_windows.yml
@@ -3,6 +3,9 @@
name: Apache Jena CI (MS Windows)
on: workflow_dispatch
+permissions:
+ contents: read
+
jobs:
build: