chore(sec): remove not needed permissions (#1442)

this PR removes a few permissions in CI where I don't think they are needed
2025-12-06 14:20:02 +00:00 · 2025-10-10 15:40:03 +02:00
parent 13ce1039ee
commit 8cd5e28f3a
4 changed files with 23 additions and 4 deletions
--- a/.github/workflows/auto-merge-dependabot.yml
+++ b/.github/workflows/auto-merge-dependabot.yml
@@ -7,7 +7,7 @@ permissions: write-all
 jobs:
  dependabot:
    runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,7 +11,8 @@ jobs:
  build-node:
    name: "build on ${{ matrix.os }}"
    runs-on: ${{ matrix.os }}
-
+    permissions:
+      contents: read
    if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }}

    strategy:
@@ -21,6 +22,7 @@ jobs:

    steps:
      - uses: actions/checkout@v5
+        with: { persist-credentials: false }
      - uses: actions/setup-node@v5
        with:
          node-version-file: '.nvmrc'
@@ -34,10 +36,13 @@ jobs:
  build-artifacts:
    name: "build artifacts"
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    if: ${{ github.event_name == 'push' || github.event_name == 'pull_request' }}

    steps:
      - uses: actions/checkout@v5
+        with: { persist-credentials: false }
      - uses: actions/setup-node@v5
        with:
          node-version-file: '.nvmrc'
@@ -81,9 +86,12 @@ jobs:
  unit-tests:
    name: "Unit tests"
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v5
+        with: { persist-credentials: false }
      - run: npm ci
      - run: npm run test-unit-ci
      - name: Upload coverage reports to Codecov
@@ -96,9 +104,12 @@ jobs:
    name: "E2E tests using chrome"

    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v5
+        with: { persist-credentials: false }
      - run: npm ci
      - name: Cypress run
        uses: cypress-io/github-action@v6
@@ -119,6 +130,7 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v5
+        with: { persist-credentials: false }
      - run: npm ci
      - name: Cypress run
        uses: cypress-io/github-action@v6
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -8,9 +8,12 @@ jobs:
  deploy-pages:
    name: deploy/pages
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
    if: ${{ github.event_name == 'push' }}
    steps:
      - uses: actions/checkout@v5
+        with: { persist-credentials: false }

      - name: Use Node.js from nvmrc
        uses: actions/setup-node@v5
@@ -33,9 +36,10 @@ jobs:
  deploy-docker:
    name: deploy/docker
    runs-on: ubuntu-latest
-
    if: ${{ github.event_name == 'push' }}
-
+    permissions:
+      contents: read
+      packages: write
    strategy:
      fail-fast: false

--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,11 +12,14 @@ jobs:
    defaults:
      run:
        shell: bash
+    permissions:
+      contents: read
    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0
          ref: main
+          persist-credentials: false

      - name: Use Node.js from nvmrc
        uses: actions/setup-node@v5