Merge pull request DSpace#1938 from tdonohue/harden_github_workflows

tdonohue · web-flow · commit e50c278497f7 · 2022-10-31T11:10:07.000-05:00
GitHub Workflows security hardening (for dspace-angular)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -6,6 +6,9 @@ name: Build
 # Run this Build for all pushes / PRs to current branch
 on: [push, pull_request]
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -12,6 +12,9 @@ on:
       - 'dspace-**'
   pull_request:
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   docker:
     # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace-angular'
diff --git a/.github/workflows/issue_opened.yml b/.github/workflows/issue_opened.yml
@@ -5,6 +5,7 @@ on:
   issues:
     types: [opened]
 
+permissions: {}
 jobs:
   automation:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/label_merge_conflicts.yml b/.github/workflows/label_merge_conflicts.yml
@@ -11,13 +11,14 @@ on:
   pull_request_target:
     types: [ synchronize ]
 
+permissions: {}
+
 jobs:
   triage:
     # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace-angular'
     if: github.repository == 'dspace/dspace-angular'
     runs-on: ubuntu-latest
     permissions:
-      issues: write
       pull-requests: write
     steps:
       # See: https://github.com/prince-chrismc/label-merge-conflicts-action
