Skip to content

Commit a593699

Browse files
incertumincertum
committed
chore: restrict GitHub workflow permissions - future-proof
Signed-off-by: Melissa Kilby <[email protected]>
1 parent 7566cd4 commit a593699

File tree

4 files changed

+9
-0
lines changed

4 files changed

+9
-0
lines changed

.github/workflows/automerge_to_future.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
name: Create PR to merge release branch into the main branch
22
# At the end of a release cycle and the start of a new one, we may want to automatically forward all changes to the current branch (main) to the branch for the next release (future).
33
# This workflow can be disabled earlier in the release cycle in the GitHub UI as described in https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/disabling-and-enabling-a-workflow
4+
permissions:
5+
contents: read
46
on:
57
schedule:
68
- cron: '0 9 * * *'

.github/workflows/automerge_to_main.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
name: Create PR to merge release branch into the main branch
22
# At the end of a release cycle, we may want to automatically include all changes to release branches on the main branch to avoid the need for cherry-picking changes back to release branches
33
# This workflow can be disabled earlier in the release cycle in the GitHub UI as described in https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/disabling-and-enabling-a-workflow
4+
permissions:
5+
contents: read
46
on:
57
schedule:
68
- cron: '0 9 * * *'

.github/workflows/automerge_to_release.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
name: Create PR to merge main into release branch
22
# In the first period after branching the release branch, we typically want to include many changes from `main` in the release branch. This workflow automatically creates a PR every Monday to merge main into the release branch.
33
# Later in the release cycle we should stop this practice to avoid landing risky changes by disabling this workflow. To do so, disable the workflow as described in https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/disabling-and-enabling-a-workflow
4+
permissions:
5+
contents: read
46
on:
57
schedule:
68
- cron: '0 9 * * MON'

.github/workflows/pull_request.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Pull request
22

3+
permissions:
4+
contents: read
5+
36
on:
47
pull_request:
58
types: [opened, reopened, synchronize]

0 commit comments

Comments
 (0)