(ofbiz-framework) branch trunk updated: [StepSecurity] ci: Harden GitHub Actions (#719)

Sun, 03 Mar 2024 00:08:39 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 7806dabd65 [StepSecurity] ci: Harden GitHub Actions (#719)
7806dabd65 is described below

commit 7806dabd659040b8317c2e009ec65d46eeb98fcb
Author: StepSecurity Bot <b...@stepsecurity.io>
AuthorDate: Sun Mar 3 00:08:26 2024 -0800

    [StepSecurity] ci: Harden GitHub Actions (#719)
    
    Security Fixes
    Least Privileged GitHub Actions Token Permissions
    The GITHUB_TOKEN is an automatically generated secret to make authenticated 
calls to the GitHub API. GitHub recommends setting minimum token permissions 
for the GITHUB_TOKEN.
    
    GitHub Security Guide
    The Open Source Security Foundation (OpenSSF) Security Guide
    Feedback
    For bug reports, feature requests, and general feedback; please email 
supp...@stepsecurity.io. To create such PRs, please visit 
https://app.stepsecurity.io/securerepo.
    
    Signed-off-by: StepSecurity Bot b...@stepsecurity.io at the request of 
@JacquesLeRoux
---
 .github/workflows/codeql-analysis.yml | 3 +++
 .github/workflows/docker-image.yaml   | 3 +++
 .github/workflows/gradle.yaml         | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml 
b/.github/workflows/codeql-analysis.yml
index 580f7ee59a..102df1c83f 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -32,6 +32,9 @@ on:
   schedule:
     - cron: '27 15 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/docker-image.yaml 
b/.github/workflows/docker-image.yaml
index 1cff4a790e..4ecca30b07 100644
--- a/.github/workflows/docker-image.yaml
+++ b/.github/workflows/docker-image.yaml
@@ -44,6 +44,9 @@ on:
     tags:
       - '**'
 
+permissions:
+  contents: read
+
 jobs:
   docker_build:
     name: Build and push OFBiz docker container images
diff --git a/.github/workflows/gradle.yaml b/.github/workflows/gradle.yaml
index 55f3983042..54166666ec 100644
--- a/.github/workflows/gradle.yaml
+++ b/.github/workflows/gradle.yaml
@@ -25,6 +25,9 @@ on:
   pull_request:
     branches: [ trunk ]
 
+permissions:
+  contents: read
+
 jobs:
   build:

Reply via email to