From a78a72fb162d0ab138e248744c37207a47b096d7 Mon Sep 17 00:00:00 2001 From: Boshen Date: Mon, 20 Jan 2025 13:19:50 +0800 Subject: [PATCH] ci: fix overly broad permissions reported by zizmor (#8611) https://woodruffw.github.io/zizmor/audits/#excessive-permissions --- .github/workflows/autofix.yml | 2 ++ .github/workflows/benchmark.yml | 2 ++ .github/workflows/bloat.yml | 2 ++ .github/workflows/cargo_llvm_lines.yml | 2 ++ .github/workflows/ci.yml | 2 ++ .github/workflows/ci_security.yml | 7 +++---- .github/workflows/ci_vscode.yml | 2 ++ .github/workflows/codecov.yml | 2 ++ .github/workflows/deny.yml | 2 ++ .github/workflows/link_check.yml | 2 ++ .github/workflows/lint_rules.yml | 5 +++++ .github/workflows/miri.yml | 2 ++ .github/workflows/pr.yml | 8 ++------ .github/workflows/prepare_release_crates.yml | 5 +++++ .github/workflows/prepare_release_oxlint.yml | 2 ++ .github/workflows/release_crates.yml | 2 ++ .github/workflows/release_napi_minify.yml | 2 ++ .github/workflows/release_napi_parser.yml | 2 ++ .github/workflows/release_napi_transform.yml | 2 ++ .github/workflows/release_oxlint.yml | 2 ++ .github/workflows/release_types.yml | 2 ++ .github/workflows/release_vscode.yml | 4 ++-- .github/workflows/release_wasm.yml | 2 ++ .github/workflows/reusable_prepare_release.yml | 2 ++ .github/workflows/reusable_release_napi.yml | 2 ++ 25 files changed, 57 insertions(+), 12 deletions(-) diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index 4b4eb45dde126..3fcaab2a997a2 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -1,5 +1,7 @@ name: autofix.ci # For security reasons, the workflow in which the autofix.ci action is used must be named "autofix.ci". +permissions: {} + on: pull_request: types: [opened, synchronize] diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 8399495fc105c..76e8f9d854549 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -13,6 +13,8 @@ name: Benchmark +permissions: {} + on: workflow_dispatch: pull_request: diff --git a/.github/workflows/bloat.yml b/.github/workflows/bloat.yml index c852e53147f1c..dd69f3b39770c 100644 --- a/.github/workflows/bloat.yml +++ b/.github/workflows/bloat.yml @@ -2,6 +2,8 @@ name: Cargo Bloat +permissions: {} + on: workflow_dispatch: diff --git a/.github/workflows/cargo_llvm_lines.yml b/.github/workflows/cargo_llvm_lines.yml index adb73dd04b4fb..9685809c01686 100644 --- a/.github/workflows/cargo_llvm_lines.yml +++ b/.github/workflows/cargo_llvm_lines.yml @@ -2,6 +2,8 @@ name: Cargo LLVM Lines +permissions: {} + on: workflow_dispatch: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 634f80e240b43..485cc670ebe2a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,7 @@ name: CI +permissions: {} + on: workflow_dispatch: pull_request: diff --git a/.github/workflows/ci_security.yml b/.github/workflows/ci_security.yml index 14d95f0659fc3..8dfb6b3398dac 100644 --- a/.github/workflows/ci_security.yml +++ b/.github/workflows/ci_security.yml @@ -1,5 +1,7 @@ name: GitHub Actions Security Analysis +permissions: {} + on: workflow_dispatch: pull_request: @@ -20,10 +22,7 @@ jobs: permissions: security-events: write steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - persist-credentials: false + - uses: taiki-e/checkout-action@b13d20b7cda4e2f325ef19895128f7ff735c0b3d # v1.3.1 - uses: taiki-e/install-action@a7adeb15af2926b0ac7478ad165047cd2d8ba350 # v2.47.18 with: diff --git a/.github/workflows/ci_vscode.yml b/.github/workflows/ci_vscode.yml index 226c77d54635f..9e6ab37152d7b 100644 --- a/.github/workflows/ci_vscode.yml +++ b/.github/workflows/ci_vscode.yml @@ -1,5 +1,7 @@ name: CI VSCode +permissions: {} + on: workflow_dispatch: pull_request: diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml index 11572bec20fc4..68e367574f59e 100644 --- a/.github/workflows/codecov.yml +++ b/.github/workflows/codecov.yml @@ -2,6 +2,8 @@ name: Code Coverage +permissions: {} + on: workflow_dispatch: push: diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml index 339091b27223c..6cf827559fda3 100644 --- a/.github/workflows/deny.yml +++ b/.github/workflows/deny.yml @@ -1,5 +1,7 @@ name: Cargo Deny +permissions: {} + on: workflow_dispatch: pull_request: diff --git a/.github/workflows/link_check.yml b/.github/workflows/link_check.yml index cbf5fde3f94ea..c407700d17c50 100644 --- a/.github/workflows/link_check.yml +++ b/.github/workflows/link_check.yml @@ -1,5 +1,7 @@ name: Check Links +permissions: {} + on: workflow_dispatch: push: diff --git a/.github/workflows/lint_rules.yml b/.github/workflows/lint_rules.yml index bf67cc095c3eb..b904751f51994 100644 --- a/.github/workflows/lint_rules.yml +++ b/.github/workflows/lint_rules.yml @@ -1,5 +1,7 @@ name: Update implementation status of all linter plugins +permissions: {} + on: push: branches: @@ -13,6 +15,9 @@ on: jobs: lint_rules: runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - name: Checkout Branch uses: taiki-e/checkout-action@b13d20b7cda4e2f325ef19895128f7ff735c0b3d # v1.3.1 diff --git a/.github/workflows/miri.yml b/.github/workflows/miri.yml index c90f6763327d1..5235ed1fb0606 100644 --- a/.github/workflows/miri.yml +++ b/.github/workflows/miri.yml @@ -1,5 +1,7 @@ name: Miri +permissions: {} + on: workflow_dispatch: pull_request: diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index c9b429bff8f86..f2720268f17f8 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,5 +1,7 @@ name: Check PR +permissions: {} + on: pull_request_target: # zizmor: ignore[dangerous-triggers] types: @@ -27,12 +29,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: requireScope: true - disallowScopes: | - build - chore - ci - release - revert types: | build chore diff --git a/.github/workflows/prepare_release_crates.yml b/.github/workflows/prepare_release_crates.yml index 104c24c2004d4..9234179edda88 100644 --- a/.github/workflows/prepare_release_crates.yml +++ b/.github/workflows/prepare_release_crates.yml @@ -1,5 +1,7 @@ name: Prepare Release Crates +permissions: {} + on: workflow_dispatch: @@ -33,6 +35,9 @@ jobs: needs: prepare name: Trigger Monitor Oxc runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: taiki-e/checkout-action@b13d20b7cda4e2f325ef19895128f7ff735c0b3d # v1.3.1 diff --git a/.github/workflows/prepare_release_oxlint.yml b/.github/workflows/prepare_release_oxlint.yml index 0dce8115a16cc..ce4ad92c52675 100644 --- a/.github/workflows/prepare_release_oxlint.yml +++ b/.github/workflows/prepare_release_oxlint.yml @@ -1,5 +1,7 @@ name: Prepare Release Oxlint +permissions: {} + on: workflow_dispatch: push: diff --git a/.github/workflows/release_crates.yml b/.github/workflows/release_crates.yml index c99a2ee8a9f4d..ed160e6170857 100644 --- a/.github/workflows/release_crates.yml +++ b/.github/workflows/release_crates.yml @@ -1,5 +1,7 @@ name: Release Crates +permissions: {} + on: workflow_dispatch: push: diff --git a/.github/workflows/release_napi_minify.yml b/.github/workflows/release_napi_minify.yml index a71d50dd5c379..d79466bd3cab0 100644 --- a/.github/workflows/release_napi_minify.yml +++ b/.github/workflows/release_napi_minify.yml @@ -1,5 +1,7 @@ name: Release NAPI Minify +permissions: {} + on: push: branches: diff --git a/.github/workflows/release_napi_parser.yml b/.github/workflows/release_napi_parser.yml index 78043c258e38a..20d64cb922bf6 100644 --- a/.github/workflows/release_napi_parser.yml +++ b/.github/workflows/release_napi_parser.yml @@ -1,5 +1,7 @@ name: Release NAPI Parser +permissions: {} + on: push: branches: diff --git a/.github/workflows/release_napi_transform.yml b/.github/workflows/release_napi_transform.yml index a35bca3744dc6..8f53d7be6129c 100644 --- a/.github/workflows/release_napi_transform.yml +++ b/.github/workflows/release_napi_transform.yml @@ -1,5 +1,7 @@ name: Release NAPI Transform +permissions: {} + on: push: branches: diff --git a/.github/workflows/release_oxlint.yml b/.github/workflows/release_oxlint.yml index 8917977789064..827317288a505 100644 --- a/.github/workflows/release_oxlint.yml +++ b/.github/workflows/release_oxlint.yml @@ -1,5 +1,7 @@ name: Release Oxlint +permissions: {} + on: workflow_dispatch: push: diff --git a/.github/workflows/release_types.yml b/.github/workflows/release_types.yml index 5ad880f9231ec..684add5f080e1 100644 --- a/.github/workflows/release_types.yml +++ b/.github/workflows/release_types.yml @@ -1,5 +1,7 @@ name: Release @oxc-project/types +permissions: {} + on: workflow_dispatch: push: diff --git a/.github/workflows/release_vscode.yml b/.github/workflows/release_vscode.yml index 5bb96d7a46f84..50cca8b19107d 100644 --- a/.github/workflows/release_vscode.yml +++ b/.github/workflows/release_vscode.yml @@ -1,7 +1,7 @@ -# Reference: https://github.com/biomejs/biome/blob/main/.github/workflows/release_lsp.yml - name: Release VSCode +permissions: {} + on: push: branches: diff --git a/.github/workflows/release_wasm.yml b/.github/workflows/release_wasm.yml index 0ba55c4a3edee..95799080f3ef1 100644 --- a/.github/workflows/release_wasm.yml +++ b/.github/workflows/release_wasm.yml @@ -1,5 +1,7 @@ name: Release WASM +permissions: {} + on: workflow_dispatch: push: diff --git a/.github/workflows/reusable_prepare_release.yml b/.github/workflows/reusable_prepare_release.yml index d33ce39248763..9a2a0b7a90a07 100644 --- a/.github/workflows/reusable_prepare_release.yml +++ b/.github/workflows/reusable_prepare_release.yml @@ -1,5 +1,7 @@ name: Prepare Release +permissions: {} + on: workflow_call: inputs: diff --git a/.github/workflows/reusable_release_napi.yml b/.github/workflows/reusable_release_napi.yml index 4b903433e2e5a..730ca07d90fda 100644 --- a/.github/workflows/reusable_release_napi.yml +++ b/.github/workflows/reusable_release_napi.yml @@ -1,5 +1,7 @@ name: Release NAPI +permissions: {} + on: workflow_call: inputs: