update workflow permissions

moonbeam-foundation · Oct 21, 2024 · 43ca644 · 43ca644
1 parent 6b4c944
commit 43ca644
Show file tree

Hide file tree

Showing 17 changed files with 81 additions and 21 deletions.
diff --git a/.github/workflows/cancel.yml b/.github/workflows/cancel.yml
@@ -5,10 +5,13 @@ jobs:
     name: "Cancel Previous Build"
     if: github.ref != 'refs/heads/master'
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: read
     timeout-minutes: 3
     steps:
       - uses: styfle/cancel-workflow-action@0.12.1
         with:
           workflow_id: ".github/workflows/build.yml,.github/workflows/coverage.yml"
           all_but_latest: true
-          access_token: ${{ github.token }}
+          access_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/check-benchmarks.yml b/.github/workflows/check-benchmarks.yml
@@ -16,32 +16,32 @@ jobs:
     steps:
       - name: Check git ref
         id: check-git-ref
-        # if PR
-        # else if manual PR
-        # else (push)
         run: |
           if [[ -n "${{ github.event.pull_request.head.sha }}" ]]; then
-            echo "git_ref=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
+            echo "git_ref=${{ github.event.pull_request.head.sha }}" >> "$GITHUB_OUTPUT"
           elif [[ -n "${{ github.event.inputs.pull_request }}" ]]; then
-            echo "git_ref=refs/pull/${{ github.event.inputs.pull_request }}/head" >> $GITHUB_OUTPUT
+            echo "git_ref=refs/pull/${{ github.event.inputs.pull_request }}/head" >> "$GITHUB_OUTPUT"
           else
-            echo "git_ref=$GITHUB_REF" >> $GITHUB_OUTPUT
+            echo "git_ref=${GITHUB_REF}" >> "$GITHUB_OUTPUT"
           fi
+
   verify:
     needs: ["set-tags"]
     runs-on:
       labels: bare-metal
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           ref: ${{ needs.set-tags.outputs.git_ref }}
+          persist-credentials: false
+          fetch-depth: 0
       - name: Setup Variables
-        shell: bash
         run: |
-          echo "RUSTFLAGS=-C opt-level=3 -D warnings -C linker=clang -C link-arg=-fuse-ld=$(pwd)/mold/bin/mold" >> $GITHUB_ENV
+          echo "RUSTFLAGS=-C opt-level=3 -D warnings -C linker=clang -C link-arg=-fuse-ld=$(pwd)/mold/bin/mold" >> "$GITHUB_ENV"
       - name: Setup Mold Linker
-        shell: bash
         run: |
           mkdir -p mold
           curl -L --retry 10 --silent --show-error https://github.com/rui314/mold/releases/download/v2.30.0/mold-2.30.0-$(uname -m)-linux.tar.gz | tar -C $(realpath mold) --strip-components=1 -xzf -
@@ -60,7 +60,7 @@ jobs:
         shell: bash
         run: |
           ./scripts/run-benches-for-runtime.sh moonbase release
-          if test -f "benchmarking_errors.txt"; then
+          if [[ -f "benchmarking_errors.txt" ]]; then
             cat benchmarking_errors.txt
-            false
+            exit 1
           fi
diff --git a/.github/workflows/check-licenses.yml b/.github/workflows/check-licenses.yml
@@ -7,6 +7,8 @@ on:
 jobs:
   verify:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Install Rust toolchain

diff --git a/.github/workflows/client-release-issue.yml b/.github/workflows/client-release-issue.yml
@@ -11,7 +11,9 @@ on:
 
 jobs:
   setup-scripts:
-    runs-on: bare-metal
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Upload tools
@@ -23,6 +25,9 @@ jobs:
   create_client_ticket:
     needs: ["setup-scripts"]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -19,8 +19,9 @@ jobs:
   ####### Check files and formatting #######
 
   set-tags:
-    runs-on:
-      labels: bare-metal
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       git_branch: ${{ steps.check-git-ref.outputs.git_branch }}
       git_target_branch: ${{ steps.check-git-ref.outputs.git_target_branch }}
@@ -89,6 +90,8 @@ jobs:
   build-and-coverage:
     runs-on:
       labels: bare-metal
+    permissions:
+      contents: read
     needs: ["set-tags"]
     if: ${{ !github.event.pull_request.head.repo.fork }}
     timeout-minutes: 90

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -9,7 +9,8 @@ jobs:
   deploy-docs:
     name: Deploy docs
     runs-on: bare-metal
-
+    permissions:
+      contents: read
     steps:
       # The protobuf compiler should be pre-installed on bare-metal
       #- name: Install tooling

diff --git a/.github/workflows/enforce-pr-labels.yml b/.github/workflows/enforce-pr-labels.yml
@@ -6,6 +6,8 @@ on:
 jobs:
   enforce-noteworthiness-label:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: yogevbd/enforce-label-action@2.2.2
         with:
@@ -21,6 +23,8 @@ jobs:
           BANNED_LABELS: ""
   enforce-auditability-label:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: yogevbd/enforce-label-action@2.2.2
         with:

diff --git a/.github/workflows/prepare-binary.yml b/.github/workflows/prepare-binary.yml
@@ -16,6 +16,8 @@ jobs:
 
   build-binary:
     runs-on: bare-metal
+    permissions:
+      contents: read
     strategy:
       matrix:
         cpu: ["x86-64", "skylake", "znver3"]
@@ -54,6 +56,8 @@ jobs:
   ####### Prepare the release draft #######
   docker-release-candidate:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: ["build-binary"]
     steps:
       - name: Checkout

diff --git a/.github/workflows/publish-binary.yml b/.github/workflows/publish-binary.yml
@@ -14,7 +14,9 @@ on:
 jobs:
   ####### Building binaries #######
   setup-scripts:
-    runs-on: bare-metal
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Upload tools
@@ -26,6 +28,8 @@ jobs:
   build-binary:
     needs: ["setup-scripts"]
     runs-on: bare-metal
+    permissions:
+      contents: read
     strategy:
       matrix:
         cpu: ["x86-64", "skylake", "znver3"]
@@ -67,6 +71,8 @@ jobs:
 
   publish-draft-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: ["build-binary"]
     outputs:
       release_url: ${{ steps.create-release.outputs.html_url }}

diff --git a/.github/workflows/publish-docker-runtime.yml b/.github/workflows/publish-docker-runtime.yml
@@ -10,6 +10,8 @@ on:
 jobs:
   tag-docker:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
@@ -10,6 +10,8 @@ on:
 jobs:
   tag-docker:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/publish-runtime.yml b/.github/workflows/publish-runtime.yml
@@ -15,7 +15,9 @@ jobs:
   ####### Build runtimes with srtool #######
 
   setup-scripts:
-    runs-on: bare-metal
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Upload scripts
@@ -30,7 +32,9 @@ jobs:
           path: tools
 
   read-rust-version:
-    runs-on: bare-metal
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       rust_version: ${{ steps.get-version.outputs.rust_version }}
     steps:
@@ -43,6 +47,8 @@ jobs:
   build-srtool-runtimes:
     needs: ["setup-scripts", "read-rust-version"]
     runs-on: bare-metal
+    permissions:
+      contents: read
     strategy:
       matrix:
         chain: ["moonbase", "moonriver", "moonbeam"]
@@ -123,6 +129,8 @@ jobs:
 
   publish-draft-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: ["setup-scripts", "build-srtool-runtimes"]
     outputs:
       release_url: ${{ steps.create-release.outputs.html_url }}

diff --git a/.github/workflows/publish-typescript-api.yml b/.github/workflows/publish-typescript-api.yml
@@ -9,6 +9,8 @@ on:
 jobs:
   publish-typescript-api:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -31,6 +33,8 @@ jobs:
 
   update-polkadot-js-for-tests-and-tools:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: ["publish-typescript-api"]
     steps:
       - name: Checkout
@@ -39,8 +43,6 @@ jobs:
           ref: ${{ github.event.inputs.sha }}
       - name: Use pnpm
         uses: pnpm/action-setup@v4
-        with:
-          version: 9
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:

diff --git a/.github/workflows/runtime-release-issue.yml b/.github/workflows/runtime-release-issue.yml
@@ -15,6 +15,8 @@ on:
 jobs:
   setup-scripts:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Upload tools
@@ -26,6 +28,9 @@ jobs:
   create_runtime_ticket:
     needs: ["setup-scripts"]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/subxt-diff.yml b/.github/workflows/subxt-diff.yml
@@ -13,6 +13,8 @@ jobs:
   build:
     runs-on:
       labels: bare-metal
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -29,6 +31,8 @@ jobs:
   local-diff:
     needs: build
     runs-on: bare-metal
+    permissions:
+      contents: read
     strategy:
       matrix:
         runtime: [moonbeam, moonbase, moonriver]
@@ -105,6 +109,9 @@ jobs:
   create_pr:
     needs: local-diff
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/upgrade-typescript-api.yml b/.github/workflows/upgrade-typescript-api.yml
@@ -9,6 +9,9 @@ on:
 jobs:
   upgrading-typescript-api:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
@@ -12,6 +12,9 @@ on:
 jobs:
   create_bump_ticket:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4