GitHub Workflows security hardening (#3470)
* build: harden docker-publish.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * build: harden website.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * build: harden changesets.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> * build: harden static-data.yml permissions Signed-off-by: Alex <aleksandrosansan@gmail.com> Signed-off-by: Alex <aleksandrosansan@gmail.com>
This commit is contained in:
parent
bd440840c8
commit
17984fa31b
|
@ -12,6 +12,9 @@ env:
|
|||
CI: true
|
||||
PNPM_CACHE_FOLDER: .pnpm-store
|
||||
|
||||
permissions:
|
||||
contents: read # to fetch code (actions/checkout)
|
||||
|
||||
jobs:
|
||||
# Update package versions from changesets.
|
||||
version:
|
||||
|
|
|
@ -15,6 +15,10 @@ on:
|
|||
- 'master'
|
||||
tags:
|
||||
- 'v*'
|
||||
|
||||
permissions:
|
||||
contents: read # to fetch code (actions/checkout)
|
||||
|
||||
jobs:
|
||||
docker:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
@ -10,6 +10,10 @@ on:
|
|||
# push:
|
||||
# branches:
|
||||
# - master
|
||||
|
||||
permissions:
|
||||
contents: read # to fetch code (actions/checkout)
|
||||
|
||||
jobs:
|
||||
prepare:
|
||||
name: Run script
|
||||
|
|
|
@ -9,8 +9,16 @@ on:
|
|||
schedule:
|
||||
- cron: '0 0 * * *'
|
||||
|
||||
permissions:
|
||||
contents: read # to fetch code (actions/checkout)
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
contents: read # to fetch code (actions/checkout)
|
||||
deployments: write
|
||||
pull-requests: write # to comment on pull-requests
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
NODE_OPTIONS: --max_old_space_size=4096
|
||||
|
|
Loading…
Reference in New Issue