lingwei.kong/hawkbit
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Restrict permissions to github token for workflows (#2821)

Browse Source 
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2025-11-18 16:23:30 +02:00
committed by GitHub
parent f574d6d2be
commit 018a18850c
5 changed files with 22 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/reusable_workflow_license-scan.yaml vendored
View File

@@ -16,6 +16,9 @@ on:
description: 'GitLab API token for Dash IP lab (needed only if open_tickets is true)'
required: false
permissions:
contents: write
jobs:
reusable_workflow_license-scan:
runs-on: ubuntu-latest

6
.github/workflows/reusable_workflow_tag.yaml vendored
View File

@@ -16,13 +16,13 @@ on:
description: 'If to override the tag if already exists'
default: false
permissions:
contents: write
jobs:
tag:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v5

10
.github/workflows/reusable_workflow_trivy-scan.yaml vendored
View File

@@ -12,15 +12,15 @@ on:
type: boolean
default: false
permissions:
contents: read
# needed for trivy scans upload
security-events: write
jobs:
trivy-scan:
runs-on: ubuntu-latest
permissions:
contents: read
# needed for trivy scans upload
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v5

3
.github/workflows/reusable_workflow_verify.yaml vendored
View File

@@ -16,6 +16,9 @@ on:
default: ''
description: 'Properties to pass to Maven command line, e.g. -Djpa.vendor=hibernate'
permissions:
contents: read
jobs:
reusable_workflow_verify:
runs-on: ubuntu-latest

11
.github/workflows/stale.yaml vendored
View File

@@ -6,6 +6,12 @@ on:
schedule:
- cron: "0 0 * * *"
permissions:
contents: read
issues: write
# only needed if marking PRs as stale
# pull-requests: write
jobs:
stale:
# only on original eclipse-hawkbit/hawkbit repo
@@ -16,12 +22,11 @@ jobs:
- uses: actions/stale@v10
with:
repo-token: ${{ secrets.PAT_SECRET }}
# disables automatic marking of issues as stale
days-before-stale: -1
days-before-close: 15
stale-issue-label: 'awaiting'
close-issue-message: |-
There has been no response from the original author so I closed this issue.
Please reach out if you have or find the answers we need so that we can investigate further.
only-labels: 'awaiting'
skip-stale-issue-message: 'true'
skip-stale-pr-message: 'true'
only-labels: 'awaiting'