Restrict token permissions (#1706)

2025-02-06 19:22:28 -08:00 · 2025-02-06 19:22:28 -08:00 · 9c38680126
parent a801a43c86
commit 9c38680126
9 changed files with 48 additions and 8 deletions
--- a/.github/config/markdown-lint-config.yml
+++ b/.github/config/markdown-lint-config.yml
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@ -99,5 +99,17 @@
      "matchUpdateTypes": ["major"],
      "enabled": false,
    }
+  ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "datasourceTemplate": "npm",
+      "fileMatch": [
+        "^.github/workflows/"
+      ],
+      "matchStrings": [
+        "npx (?<depName>[^@]+)@(?<currentValue>[^\\s]+)"
+      ]
+    }
  ]
 }
--- a/.github/workflows/assign-reviewers.yml
+++ b/.github/workflows/assign-reviewers.yml
@ -8,8 +8,14 @@ on:
  # because repository write permission is needed to assign reviewers
  pull_request_target:

+permissions:
+  contents: read
+
 jobs:
  assign-reviewers:
+    permissions:
+      contents: read
+      pull-requests: write  # for assigning reviewers
    runs-on: ubuntu-latest
    steps:
      - uses: open-telemetry/assign-reviewers-action@b101a9c17274e3d4fff0853898007e9e3a366675 # main
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -8,6 +8,9 @@ on:
  pull_request:
  workflow_dispatch:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true
--- a/.github/workflows/issue-management-feedback-label.yml
+++ b/.github/workflows/issue-management-feedback-label.yml
@ -1,11 +1,17 @@
-name: Issue management - remove needs feedback label
+name: Issue management - remove labels as needed

 on:
  issue_comment:
    types: [created]

+permissions:
+  contents: read
+
 jobs:
  issue_comment:
+    permissions:
+      contents: read
+      issues: write
    if: >
      contains(github.event.issue.labels.*.name, 'needs author feedback') &&
      github.event.comment.user.login == github.event.issue.user.login
@ -13,9 +19,10 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - name: Remove label
+      - name: Remove labels
        env:
          ISSUE_NUMBER: ${{ github.event.issue.number }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh issue edit --remove-label "needs author feedback" $ISSUE_NUMBER
+          gh issue edit --remove-label "stale" $ISSUE_NUMBER
--- a/.github/workflows/issue-management-stale-action.yml
+++ b/.github/workflows/issue-management-stale-action.yml
@ -11,6 +11,7 @@ permissions:
 jobs:
  stale:
    permissions:
+      contents: read
      issues: write  # for actions/stale to close stale issues
      pull-requests: write  # for actions/stale to close stale PRs
    runs-on: ubuntu-latest
@ -21,11 +22,15 @@ jobs:
          days-before-stale: 7
          days-before-close: 7
          only-labels: "needs author feedback"
+          stale-issue-label: stale
          stale-issue-message: >
            This has been automatically marked as stale because it has been marked
            as needing author feedback and has not had any activity for 7 days.
-            It will be closed if no further activity occurs within 7 days of this comment.
+            It will be closed automatically if there is no response from the author
+            within 7 additional days from this comment.
+          stale-pr-label: stale
          stale-pr-message: >
            This has been automatically marked as stale because it has been marked
            as needing author feedback and has not had any activity for 7 days.
-            It will be closed if no further activity occurs within 7 days of this comment.
+            It will be closed automatically if there is no response from the author
+            within 7 additional days from this comment.
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -2,6 +2,9 @@ name: Release
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ubuntu-latest
@ -50,6 +53,8 @@ jobs:
          path: jmx-metrics/build/reports/tests/integrationTest

  release:
+    permissions:
+      contents: write # for creating the release
    runs-on: ubuntu-latest
    needs:
      - build
@ -186,6 +191,8 @@ jobs:
          echo "version=$VERSION" >> $GITHUB_OUTPUT

  merge-change-log-to-main:
+    permissions:
+      contents: write # for git push to PR branch
    runs-on: ubuntu-latest
    needs:
      - release
--- a/.github/workflows/reusable-markdown-link-check.yml
+++ b/.github/workflows/reusable-markdown-link-check.yml
@ -3,6 +3,9 @@ name: Reusable - Markdown link check
 on:
  workflow_call:

+permissions:
+  contents: read
+
 jobs:
  markdown-link-check:
    runs-on: ubuntu-latest
--- a/.github/workflows/reusable-markdown-lint.yml
+++ b/.github/workflows/reusable-markdown-lint.yml
@ -12,9 +12,6 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - name: Install markdownlint
-        run: npm install -g markdownlint-cli
-
      - name: Run markdownlint
        run: |
-          markdownlint -c .github/config/markdown-lint-config.yml **/*.md
+          npx markdownlint-cli@0.43.0 -c .github/config/markdownlint.yml **/*.md