Skip to content

Commit 2234926

Browse files
committed
Always set workflow permissions at job level
There are multiple scopes at which the permissions of the GITHUB_TOKEN access token (which is automatically generated for use in GitHub Actions workflow runs) can be configured: - enterprise - organization - repository - workflow - job The latter two scopes are configured using the `permissions` workflow key. The point of configuring permissions in the workflow is that each workflow may have different requirements. Granular configuration means that the "principle of least privilege" can be more closely followed, by only granting permissions in the specific scopes where they are needed. Previously, in cases where the same permissions configuration could be used for all jobs in a workflow, the configuration was done at the workflow scope. Even if functionally equivalent, I think it is semantically more appropriate to always set the permissions at the job scope. This more clearly communicates that the intention is to make the most granular possible permissions configuration. Hopefully that will serve as a model for any additional jobs added to the workflow in the future and make it more likely that the appropriate permissions configuration will be done there.
1 parent 9cbdcb8 commit 2234926

15 files changed

+58
-3
lines changed

.github/workflows/check-action-metadata-task.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ on:
3131
jobs:
3232
run-determination:
3333
runs-on: ubuntu-latest
34+
permissions: {}
3435
outputs:
3536
result: ${{ steps.determination.outputs.result }}
3637
steps:
@@ -56,6 +57,8 @@ jobs:
5657
needs: run-determination
5758
if: needs.run-determination.outputs.result == 'true'
5859
runs-on: ubuntu-latest
60+
permissions:
61+
contents: read
5962

6063
steps:
6164
- name: Checkout repository

.github/workflows/check-files-task.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ on:
1515
jobs:
1616
run-determination:
1717
runs-on: ubuntu-latest
18+
permissions: {}
1819
outputs:
1920
result: ${{ steps.determination.outputs.result }}
2021
steps:
@@ -40,6 +41,8 @@ jobs:
4041
needs: run-determination
4142
if: needs.run-determination.outputs.result == 'true'
4243
runs-on: ubuntu-latest
44+
permissions:
45+
contents: read
4346

4447
steps:
4548
- name: Checkout repository
@@ -58,6 +61,8 @@ jobs:
5861
needs: run-determination
5962
if: needs.run-determination.outputs.result == 'true'
6063
runs-on: ubuntu-latest
64+
permissions:
65+
contents: read
6166

6267
steps:
6368
- name: Checkout repository

.github/workflows/check-general-formatting-task.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ on:
1515
jobs:
1616
run-determination:
1717
runs-on: ubuntu-latest
18+
permissions: {}
1819
outputs:
1920
result: ${{ steps.determination.outputs.result }}
2021
steps:
@@ -40,6 +41,8 @@ jobs:
4041
needs: run-determination
4142
if: needs.run-determination.outputs.result == 'true'
4243
runs-on: ubuntu-latest
44+
permissions:
45+
contents: read
4346

4447
steps:
4548
- name: Set environment variables

.github/workflows/check-license.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ on:
3535
jobs:
3636
run-determination:
3737
runs-on: ubuntu-latest
38+
permissions: {}
3839
outputs:
3940
result: ${{ steps.determination.outputs.result }}
4041
steps:
@@ -60,6 +61,9 @@ jobs:
6061
needs: run-determination
6162
if: needs.run-determination.outputs.result == 'true'
6263
runs-on: ubuntu-latest
64+
permissions:
65+
contents: read
66+
6367

6468
steps:
6569
- name: Checkout repository

.github/workflows/check-markdown-task.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,7 @@ on:
4141
jobs:
4242
run-determination:
4343
runs-on: ubuntu-latest
44+
permissions: {}
4445
outputs:
4546
result: ${{ steps.determination.outputs.result }}
4647
steps:
@@ -66,6 +67,8 @@ jobs:
6667
needs: run-determination
6768
if: needs.run-determination.outputs.result == 'true'
6869
runs-on: ubuntu-latest
70+
permissions:
71+
contents: read
6972

7073
steps:
7174
- name: Checkout repository
@@ -92,6 +95,8 @@ jobs:
9295
needs: run-determination
9396
if: needs.run-determination.outputs.result == 'true'
9497
runs-on: ubuntu-latest
98+
permissions:
99+
contents: read
95100

96101
steps:
97102
- name: Checkout repository

.github/workflows/check-npm-task.yml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,12 +26,10 @@ on:
2626
workflow_dispatch:
2727
repository_dispatch:
2828

29-
permissions:
30-
contents: read
31-
3229
jobs:
3330
run-determination:
3431
runs-on: ubuntu-latest
32+
permissions: {}
3533
outputs:
3634
result: ${{ steps.determination.outputs.result }}
3735
steps:
@@ -57,6 +55,9 @@ jobs:
5755
needs: run-determination
5856
if: needs.run-determination.outputs.result == 'true'
5957
runs-on: ubuntu-latest
58+
permissions:
59+
contents: read
60+
6061

6162
steps:
6263
- name: Checkout repository
@@ -80,6 +81,9 @@ jobs:
8081
needs: run-determination
8182
if: needs.run-determination.outputs.result == 'true'
8283
runs-on: ubuntu-latest
84+
permissions:
85+
contents: read
86+
8387

8488
steps:
8589
- name: Checkout repository

.github/workflows/check-prettier-formatting-task.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -209,6 +209,7 @@ on:
209209
jobs:
210210
run-determination:
211211
runs-on: ubuntu-latest
212+
permissions: {}
212213
outputs:
213214
result: ${{ steps.determination.outputs.result }}
214215
steps:
@@ -234,6 +235,8 @@ jobs:
234235
needs: run-determination
235236
if: needs.run-determination.outputs.result == 'true'
236237
runs-on: ubuntu-latest
238+
permissions:
239+
contents: read
237240

238241
steps:
239242
- name: Checkout repository

.github/workflows/check-python-task.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ on:
3535
jobs:
3636
run-determination:
3737
runs-on: ubuntu-latest
38+
permissions: {}
3839
outputs:
3940
result: ${{ steps.determination.outputs.result }}
4041
steps:
@@ -60,6 +61,8 @@ jobs:
6061
needs: run-determination
6162
if: needs.run-determination.outputs.result == 'true'
6263
runs-on: ubuntu-latest
64+
permissions:
65+
contents: read
6366

6467
steps:
6568
- name: Checkout repository
@@ -92,6 +95,8 @@ jobs:
9295
needs: run-determination
9396
if: needs.run-determination.outputs.result == 'true'
9497
runs-on: ubuntu-latest
98+
permissions:
99+
contents: read
95100

96101
steps:
97102
- name: Checkout repository

.github/workflows/check-taskfiles.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ on:
2929
jobs:
3030
run-determination:
3131
runs-on: ubuntu-latest
32+
permissions: {}
3233
outputs:
3334
result: ${{ steps.determination.outputs.result }}
3435
steps:
@@ -55,6 +56,8 @@ jobs:
5556
needs: run-determination
5657
if: needs.run-determination.outputs.result == 'true'
5758
runs-on: ubuntu-latest
59+
permissions:
60+
contents: read
5861

5962
strategy:
6063
fail-fast: false

.github/workflows/check-toc-task.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ on:
2929
jobs:
3030
run-determination:
3131
runs-on: ubuntu-latest
32+
permissions: {}
3233
outputs:
3334
result: ${{ steps.determination.outputs.result }}
3435
steps:
@@ -55,6 +56,8 @@ jobs:
5556
needs: run-determination
5657
if: needs.run-determination.outputs.result == 'true'
5758
runs-on: ubuntu-latest
59+
permissions:
60+
contents: read
5861

5962
strategy:
6063
fail-fast: false

0 commit comments

Comments
 (0)