From 9a32a3bec4659fa65b02437558d5cc61a69c9d0b Mon Sep 17 00:00:00 2001 From: Step Security Date: Wed, 5 Oct 2022 21:13:42 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions in issue-mark-duplicate.yml --- .github/workflows/check-if-pr-has-label.yml | 5 +++-- .github/workflows/codeql.yml | 4 ---- .github/workflows/l10n.yml | 4 +++- .github/workflows/maintenance.yml | 6 +++++- .../{issue-mark-duplicate.yml => mark-duplicate.yml} | 6 +++++- .github/workflows/no-response.yml | 3 +++ .github/workflows/support-stackoverflow.yml | 8 ++++---- .github/workflows/vale-action.yml | 6 +++++- 8 files changed, 28 insertions(+), 14 deletions(-) rename .github/workflows/{issue-mark-duplicate.yml => mark-duplicate.yml} (79%) diff --git a/.github/workflows/check-if-pr-has-label.yml b/.github/workflows/check-if-pr-has-label.yml index b838d8ef88189..3701c22caa9a8 100644 --- a/.github/workflows/check-if-pr-has-label.yml +++ b/.github/workflows/check-if-pr-has-label.yml @@ -5,9 +5,10 @@ on: types: [opened, reopened, labeled, unlabeled] jobs: - test-label-applied: - # Tests that label is added on the PR + test-label-applied: # Tests that label is added on the PR runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: mnajdova/github-action-required-labels@v2.1 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b12b43f00ef7b..1817071a27775 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -12,17 +12,14 @@ jobs: actions: read contents: read security-events: write - strategy: fail-fast: false matrix: language: ['javascript', 'typescript'] # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - steps: - name: Checkout repository uses: actions/checkout@v3 - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v2 @@ -34,7 +31,6 @@ jobs: # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 with: diff --git a/.github/workflows/l10n.yml b/.github/workflows/l10n.yml index f592f8c8cb081..0c49d70b73769 100644 --- a/.github/workflows/l10n.yml +++ b/.github/workflows/l10n.yml @@ -10,6 +10,9 @@ jobs: # Tests dev-only scripts across all supported dev environments update-l10n: runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - run: echo "${{ github.actor }}" - uses: actions/checkout@v3 @@ -22,7 +25,6 @@ jobs: env: # Don't need playwright in this job PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: yarn l10n --report env: # Don't need playwright in this job diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml index 3b814359de761..bfb7590524b3b 100644 --- a/.github/workflows/maintenance.yml +++ b/.github/workflows/maintenance.yml @@ -1,4 +1,5 @@ -name: 'Maintenance' +name: Maintenance + on: # So that PRs touching the same files as the push are updated push: @@ -17,6 +18,9 @@ on: jobs: main: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - name: check if prs are dirty uses: eps1lon/actions-label-merge-conflict@releases/2.x diff --git a/.github/workflows/issue-mark-duplicate.yml b/.github/workflows/mark-duplicate.yml similarity index 79% rename from .github/workflows/issue-mark-duplicate.yml rename to .github/workflows/mark-duplicate.yml index f375c3816d86e..9692bf2e1fb51 100644 --- a/.github/workflows/issue-mark-duplicate.yml +++ b/.github/workflows/mark-duplicate.yml @@ -1,4 +1,4 @@ -name: Issue Mark Duplicate +name: Mark duplicate on: issue_comment: @@ -7,6 +7,10 @@ on: jobs: mark-duplicate: runs-on: ubuntu-latest + permissions: + contents: read + issues: write + pull-requests: write steps: - name: mark-duplicate uses: actions-cool/issues-helper@v3 diff --git a/.github/workflows/no-response.yml b/.github/workflows/no-response.yml index 40be2bbfda4f6..422f86ae34624 100644 --- a/.github/workflows/no-response.yml +++ b/.github/workflows/no-response.yml @@ -12,6 +12,9 @@ on: jobs: noResponse: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: lee-dohm/no-response@v0.5.0 with: diff --git a/.github/workflows/support-stackoverflow.yml b/.github/workflows/support-stackoverflow.yml index 109d45485e8af..63f69bca3a322 100644 --- a/.github/workflows/support-stackoverflow.yml +++ b/.github/workflows/support-stackoverflow.yml @@ -1,16 +1,16 @@ # Configuration for support-requests - https://github.com/dessant/support-requests -name: 'Support Stack Overflow' +name: Support Stack Overflow on: issues: types: [labeled, unlabeled, reopened] -permissions: - issues: write - jobs: mark-support: runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - uses: dessant/support-requests@v2 with: diff --git a/.github/workflows/vale-action.yml b/.github/workflows/vale-action.yml index 02c59c82d8047..9e64a45bbd3ed 100644 --- a/.github/workflows/vale-action.yml +++ b/.github/workflows/vale-action.yml @@ -1,10 +1,14 @@ -name: reviewdog +name: Vale action + on: [pull_request] jobs: vale: name: runner / vale runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/checkout@v3 - uses: errata-ai/vale-action@reviewdog