Limit permissions for CI jobs where possible

2026-04-27 10:48:09 -04:00 · 2023-09-10 20:52:56 +02:00
parent fea4c63840
commit cf1a53f1b4
6 changed files with 76 additions and 8 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,11 +1,10 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
 version: 2
 updates:
-  - package-ecosystem: "gradle" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: "gradle"
+    directory: "/"
    schedule:
      interval: "daily"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
--- a/.github/workflows/android.yml
+++ b/.github/workflows/android.yml
@@ -9,6 +9,20 @@ on:
  pull_request:
    branches:
      - main
+permissions:
+  actions: none
+  checks: none
+  contents: read
+  deployments: none
+  discussions: none
+  id-token: none
+  issues: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
 env:
  JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
 jobs:
--- a/.github/workflows/changelog-to-fastlane.yml
+++ b/.github/workflows/changelog-to-fastlane.yml
@@ -6,6 +6,20 @@ on:
      - main
    paths:
      - 'CHANGELOG.md'
+permissions:
+  actions: none
+  checks: none
+  contents: read
+  deployments: none
+  discussions: none
+  id-token: none
+  issues: none
+  packages: none
+  pages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
 jobs:
  convert_changelog_to_fastlane:
    runs-on: ubuntu-latest
--- a/.github/workflows/contributors-to-file.yml
+++ b/.github/workflows/contributors-to-file.yml
@@ -3,7 +3,20 @@ on:
  workflow_dispatch:
  schedule:
    - cron: '3 4 * * 0'
-
+permissions:
+  actions: none
+  checks: none
+  contents: write
+  deployments: none
+  discussions: none
+  id-token: none
+  issues: none
+  packages: none
+  pages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
 jobs:
  contributors_to_file:
    runs-on: ubuntu-latest
--- a/.github/workflows/generate-feature-graphic.yml
+++ b/.github/workflows/generate-feature-graphic.yml
@@ -6,6 +6,20 @@ on:
      - main
    paths:
      - 'fastlane/**/title.txt'
+permissions:
+  actions: none
+  checks: none
+  contents: write
+  deployments: none
+  discussions: none
+  id-token: none
+  issues: none
+  packages: none
+  pages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
 jobs:
  generate-feature-graphic:
    runs-on: ubuntu-latest
--- a/.github/workflows/update-locales.yml
+++ b/.github/workflows/update-locales.yml
@@ -6,6 +6,20 @@ on:
      - main
    paths:
      - app/src/main/res/values/settings.xml
+permissions:
+  actions: none
+  checks: none
+  contents: write
+  deployments: none
+  discussions: none
+  id-token: none
+  issues: none
+  packages: none
+  pages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
 jobs:
  update-locales:
    runs-on: ubuntu-latest