Restrict permissions to github token for workflows (#2821)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2025-11-18 16:23:30 +02:00
committed by GitHub
parent f574d6d2be
commit 018a18850c
5 changed files with 22 additions and 11 deletions

View File

@@ -16,6 +16,9 @@ on:
description: 'GitLab API token for Dash IP lab (needed only if open_tickets is true)' description: 'GitLab API token for Dash IP lab (needed only if open_tickets is true)'
required: false required: false
permissions:
contents: write
jobs: jobs:
reusable_workflow_license-scan: reusable_workflow_license-scan:
runs-on: ubuntu-latest runs-on: ubuntu-latest

View File

@@ -16,13 +16,13 @@ on:
description: 'If to override the tag if already exists' description: 'If to override the tag if already exists'
default: false default: false
permissions:
contents: write
jobs: jobs:
tag: tag:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: write
steps: steps:
- uses: actions/checkout@v5 - uses: actions/checkout@v5

View File

@@ -12,15 +12,15 @@ on:
type: boolean type: boolean
default: false default: false
permissions:
contents: read
# needed for trivy scans upload
security-events: write
jobs: jobs:
trivy-scan: trivy-scan:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
# needed for trivy scans upload
security-events: write
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v5 uses: actions/checkout@v5

View File

@@ -16,6 +16,9 @@ on:
default: '' default: ''
description: 'Properties to pass to Maven command line, e.g. -Djpa.vendor=hibernate' description: 'Properties to pass to Maven command line, e.g. -Djpa.vendor=hibernate'
permissions:
contents: read
jobs: jobs:
reusable_workflow_verify: reusable_workflow_verify:
runs-on: ubuntu-latest runs-on: ubuntu-latest

View File

@@ -6,6 +6,12 @@ on:
schedule: schedule:
- cron: "0 0 * * *" - cron: "0 0 * * *"
permissions:
contents: read
issues: write
# only needed if marking PRs as stale
# pull-requests: write
jobs: jobs:
stale: stale:
# only on original eclipse-hawkbit/hawkbit repo # only on original eclipse-hawkbit/hawkbit repo
@@ -16,12 +22,11 @@ jobs:
- uses: actions/stale@v10 - uses: actions/stale@v10
with: with:
repo-token: ${{ secrets.PAT_SECRET }} repo-token: ${{ secrets.PAT_SECRET }}
# disables automatic marking of issues as stale
days-before-stale: -1 days-before-stale: -1
days-before-close: 15 days-before-close: 15
stale-issue-label: 'awaiting' stale-issue-label: 'awaiting'
close-issue-message: |- close-issue-message: |-
There has been no response from the original author so I closed this issue. There has been no response from the original author so I closed this issue.
Please reach out if you have or find the answers we need so that we can investigate further. Please reach out if you have or find the answers we need so that we can investigate further.
only-labels: 'awaiting' only-labels: 'awaiting'
skip-stale-issue-message: 'true'
skip-stale-pr-message: 'true'