fix: lock down permissions

gilescope · gilescope · commit 55ae4ab4e589 · 2025-04-24T20:58:11.000+01:00
diff --git a/.envrc b/.envrc
@@ -6,6 +6,11 @@
 git config --local commit.gpgSign true
 git config --local tag.gpgSign true
 
+# docker on mac expects linux/arm64/v8 but currently we don't publish that build
+if [[ "$(uname -s)" == "Darwin" ]] && [[ "$(uname -m)" == "arm64" ]]; then
+  export DOCKER_DEFAULT_PLATFORM=linux/arm64
+fi
+
 export MIDNIGHT_NODE_IMAGE="midnightnetwork/midnight-node:0.8.0"
 
 export POSTGRES_HOST="postgres" # TODO: replace with IP or host to postgres connection if not connecting to the docker one.
diff --git a/.github/ISSUE_TEMPLATE/documentation-improvement.md b/.github/ISSUE_TEMPLATE/documentation-improvement.md
@@ -8,7 +8,7 @@ assignees: ""
 
 Documentation Improvement: Clearly describe the improvement requested for existing content and/or raise missing areas of documentation and provide details for what should be included.
 
-### Documentation url:
+### Documentation URL:
 <!-- Specify the exact location of the documentation you are referencing. -->
 
 ### Description of Improvement:
diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md
@@ -12,9 +12,9 @@
 - [ ] All check jobs of the CI have succeeded
 - [ ] Self-reviewed the diff
 - [ ] Reviewer requested
-- [ ] Update README file (if relevant)
+- [ ] Update README.md file (if relevant)
 - [ ] Update documentation (if relevant)
-- [ ] No new TODOs introduced
+- [ ] No new todos introduced
 
 ## Links
 
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1,5 +1,10 @@
 name: CI
 
+# ↓ lock down top‐level permissions to only what we use
+permissions:
+  contents: read             # we only need to checkout code
+  actions: read              # to query workflows/runs
+
 # Run on pushes to any branch and pull requests
 on:
   push:
diff --git a/cardano-cli.sh b/cardano-cli.sh
@@ -14,7 +14,7 @@ fi
 DOCKER_DEFAULT_PLATFORM=linux/amd64 docker run --rm \
   --network container:cardano-node \
   -e CARDANO_NODE_SOCKET_PATH="/ipc/node.socket" \
-  -e CARDANO_NODE_NETWORK_ID=${CARDANO_NODE_NETWORK_ID} \
+  -e CARDANO_NODE_NETWORK_ID="${CARDANO_NODE_NETWORK_ID}" \
   -v ~/ipc:/ipc \
-  ${CARDANO_IMAGE} \
-  cli $*
+  "${CARDANO_IMAGE}" \
+  cli "$@"
diff --git a/midnight-node.sh b/midnight-node.sh
@@ -2,12 +2,12 @@
 
 if [ -z "$MIDNIGHT_NODE_IMAGE" ]; then
   echo "Error: Env var MIDNIGHT_NODE_IMAGE is not set or is empty"
-  echo "Please install direnv and run `direnv allow` to activate it."
+  echo "Please install direnv and run 'direnv allow' to activate it."
   exit 1
 fi
 
 docker run -it \
-  -e CFG_PRESET=${CFG_PRESET} \
-  -e DB_SYNC_POSTGRES_CONNECTION_STRING=${DB_SYNC_POSTGRES_CONNECTION_STRING} \
-  -v ./data:/data ${MIDNIGHT_NODE_IMAGE} \
-  $*
+  -e CFG_PRESET="${CFG_PRESET}" \
+  -e DB_SYNC_POSTGRES_CONNECTION_STRING="${DB_SYNC_POSTGRES_CONNECTION_STRING}" \
+  -v ./data:/data "${MIDNIGHT_NODE_IMAGE}" \
+  "$@"
