Skip to content

Commit 7aa25f5

Browse files
cl-efornaciaricl-efornaciari
committed
fix(security): add explicit workflow permissions
Resolves CodeQL actions/missing-workflow-permissions alerts. Adds explicit permissions blocks to all workflow YAML files.
1 parent 834aadb commit 7aa25f5

15 files changed

+51
-0
lines changed

.github/workflows/changesets.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,11 @@ on:
55
branches:
66
- main
77

8+
permissions:
9+
contents: write
10+
pull-requests: write
11+
actions: write
12+
813
jobs:
914
changesets:
1015
name: Changesets

.github/workflows/contracts.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ on:
77
- main
88
pull_request:
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
contracts_run_ts_tests:
1215
name: Run Typescript Tests

.github/workflows/examples.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ on:
77
- main
88
pull_request:
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
run_examples_tests:
1215
name: Run Tests

.github/workflows/golangci-lint.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@ name: golangci_lint
33
on:
44
push:
55

6+
permissions:
7+
contents: read
8+
69
jobs:
710
golangci-lint-version:
811
name: Get golangci-lint version to from nix

.github/workflows/integration-tests-publish.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ on:
66
branches:
77
- develop
88

9+
permissions:
10+
contents: read
11+
912
env:
1013
ECR_TAG: ${{ secrets.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.QA_AWS_REGION }}.amazonaws.com/chainlink-starknet-tests:develop
1114

.github/workflows/integration-tests-smoke.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,9 @@ concurrency:
1919
group: integration-tests-starknet-${{ github.ref }}
2020
cancel-in-progress: true
2121

22+
permissions:
23+
contents: read
24+
2225
env:
2326
# for PR builds, ${{ github.sha }} is the temporary merge commit, we want the head commit instead
2427
SN_SHA: ${{ github.event.pull_request.head.sha || github.sha }}

.github/workflows/integration-tests-soak.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@ on:
2020
required: true
2121
type: string
2222

23+
permissions:
24+
contents: read
25+
2326
env:
2427
TEST_LOG_LEVEL: debug
2528
CL_ECR: ${{ secrets.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.QA_AWS_REGION }}.amazonaws.com/chainlink

.github/workflows/integration_gauntlet.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ on:
77
- main
88
pull_request:
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
gauntlet_eslint:
1215
name: Gauntlet ESLint

.github/workflows/lint.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ on:
77
- main
88
pull_request:
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
lint_format_check:
1215
name: Format Check

.github/workflows/monitoring-build-push-ecr.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ on:
88
- monitoring/**
99
- relayer/**
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
build-and-publish-monitoring:
1316
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)