mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-22 22:16:16 +02:00
chore: Set permissions for GitHub actions
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
This commit is contained in:
parent
b7eb4ac169
commit
d31c520f40
2 changed files with 5 additions and 0 deletions
2
.github/workflows/ci.yml
vendored
2
.github/workflows/ci.yml
vendored
|
@ -28,6 +28,8 @@ jobs:
|
||||||
- run: nix --experimental-features 'nix-command flakes' flake check -L
|
- run: nix --experimental-features 'nix-command flakes' flake check -L
|
||||||
|
|
||||||
check_cachix:
|
check_cachix:
|
||||||
|
permissions:
|
||||||
|
contents: none
|
||||||
name: Cachix secret present for installer tests
|
name: Cachix secret present for installer tests
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
outputs:
|
outputs:
|
||||||
|
|
3
.github/workflows/hydra_status.yml
vendored
3
.github/workflows/hydra_status.yml
vendored
|
@ -3,6 +3,9 @@ on:
|
||||||
schedule:
|
schedule:
|
||||||
- cron: "12,42 * * * *"
|
- cron: "12,42 * * * *"
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
check_hydra_status:
|
check_hydra_status:
|
||||||
name: Check Hydra status
|
name: Check Hydra status
|
||||||
|
|
Loading…
Reference in a new issue