Merge pull request #6818 from sbueringer/pr-restrict-github-actions-perms

🌱 Restrict permissions of GitHub actions

Author: k8s-ci-robot

.github/workflows/dependabot.yml

@@ -9,6 +9,9 @@ on:
       - dependabot/**
   workflow_dispatch:
 
+permissions:
+  contents: write # Allow to update the PR.
+
 jobs:
   build:
     name: Build

.github/workflows/golangci-lint.yml

@@ -1,7 +1,12 @@
 name: golangci-lint
+
 on:
   pull_request:
     types: [opened, edited, synchronize, reopened]
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
 jobs:
   golangci:
     name: lint

.github/workflows/lint-docs.yaml

@@ -6,6 +6,9 @@ on:
     paths:
       - '**.md'
 
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
 jobs:
   markdown-link-check:
     name: Broken Links
@@ -15,4 +18,4 @@ jobs:
     - uses: gaurav-nelson/github-action-markdown-link-check@v1
       with:
         use-quiet-mode: 'yes'
-        config-file: .markdownlinkcheck.json
+        config-file: .markdownlinkcheck.json

.github/workflows/release.yml

@@ -1,10 +1,13 @@
+name: release
+
 on:
   push:
     # Sequence of patterns matched against refs/tags
     tags:
     - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
 
-name: release
+permissions:
+  contents: write # Allow to create a release.
 
 jobs:
   build:

.github/workflows/verify.yml

@@ -1,7 +1,12 @@
+name: verify
+
 on:
   pull_request_target:
     types: [opened, edited, synchronize, reopened]
 
+permissions:
+  checks: write # Allow access to checks to write check runs.
+
 jobs:
   verify:
     runs-on: ubuntu-latest