Merge pull request #2147 from sashashura/patch-1

GitHub Workflows security hardening

Author: MarkDaoust

.github/workflows/bot-label-lgtm.yaml

@@ -10,6 +10,9 @@ on:
     # From: issue_comment, pull_request_review
     types: [created, edited, submitted]
 
+permissions:
+  pull-requests: write  #  to add labels to pull-requests
+
 jobs:
   lgtm-comment:
     # Check the comment. contains() is case-insensitive.

.github/workflows/bot-nightly.yaml

@@ -4,8 +4,12 @@ on:
   repository_dispatch:
     types: [nightly]
 
+permissions: {}
 jobs:
   snapshot-source:
+    permissions:
+      contents: write  #  for git push
+
     name: Update Keras guides
     if : ${{ github.actor == 'tfdocsbot' }}
     runs-on: ubuntu-latest

.github/workflows/bot-pr-fix.yaml

@@ -6,9 +6,15 @@ on:
   repository_dispatch:
     types: [opened, synchronize]
 
+permissions: {}
+
 jobs:
   nbfmt:
     # Check for opt-out label.
+    permissions:
+      contents: write
+      pull-requests: write
+
     if: >-
       ${{ github.actor == 'tfdocsbot' &&
           !contains(github.event.client_payload.pull_request.labels.*.name, 'nbfmt-disable') }}

.github/workflows/bot-pr-new.yaml

@@ -6,8 +6,15 @@ on:
   repository_dispatch:
     types: [opened, reopened]
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   comment-welcome:
+    permissions:
+      contents: read  #  to fetch code (actions/checkout)
+      pull-requests: write  #  to comment on pull-request
+
     if: ${{ github.actor == 'tfdocsbot' }}
     runs-on: ubuntu-latest
     steps: