From e9d4e372ce1f27d3ae74dfe247a9f2aff931fbf4 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Thu, 6 Feb 2025 08:10:25 -0500 Subject: [PATCH 1/4] Remove cache consumption in release workflow. --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 284a669269..5ba49c811b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,7 +19,6 @@ jobs: uses: actions/setup-node@v3 with: node-version: lts/* - cache: 'yarn' - name: Install Dependencies run: yarn install --frozen-lockfile From fa879d4aea26f05cc8e5a3dc558fab06b2f5b784 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Thu, 6 Feb 2025 08:13:33 -0500 Subject: [PATCH 2/4] Tighten style-check.yml permissions --- .github/workflows/style-check.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/style-check.yml b/.github/workflows/style-check.yml index 5b6eb5e0c5..a6a8bef91a 100644 --- a/.github/workflows/style-check.yml +++ b/.github/workflows/style-check.yml @@ -5,6 +5,7 @@ on: [push, pull_request_target] jobs: eslint_check_upload: runs-on: ubuntu-latest + permissions: read-all name: ESLint Check and Report Upload steps: @@ -36,6 +37,8 @@ jobs: annotation: # Skip the annotation action in push events if: github.event_name == 'pull_request_target' + permissions: + checks: write needs: eslint_check_upload runs-on: ubuntu-latest name: ESLint Annotation @@ -52,6 +55,7 @@ jobs: prettier_check: # In the forked PR, it's hard to format code and push to the branch directly, so the action only check the format correctness. if: github.event_name != 'push' && github.event.pull_request.head.repo.full_name != 'rrweb-io/rrweb' + permissions: read-all runs-on: ubuntu-latest name: Format Check steps: @@ -73,6 +77,8 @@ jobs: # Skip the format code action in forked PRs if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'rrweb-io/rrweb' runs-on: ubuntu-latest + permissions: + contents: write name: Format Code steps: - uses: actions/checkout@v3 From b34a6357ffb4017437414c0db60ca5b6e88d51c5 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Thu, 6 Feb 2025 08:14:54 -0500 Subject: [PATCH 3/4] Tighten permissions in test workflow that consumes cache. --- .github/workflows/ci-cd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index b8f12ac6be..ab321811d1 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -7,6 +7,7 @@ concurrency: ${{ github.workflow }}-${{ github.ref }} jobs: release: name: Tests + permissions: read-all runs-on: ubuntu-22.04 steps: - name: Checkout Repo From 569d0284a20b4d20337895b1c616d4b23811b3e9 Mon Sep 17 00:00:00 2001 From: Justin Halsall Date: Tue, 11 Feb 2025 16:26:12 +0100 Subject: [PATCH 4/4] Use stricter permissions where possible --- .github/workflows/ci-cd.yml | 3 ++- .github/workflows/style-check.yml | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index ab321811d1..be3740374a 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -7,7 +7,8 @@ concurrency: ${{ github.workflow }}-${{ github.ref }} jobs: release: name: Tests - permissions: read-all + permissions: + contents: read runs-on: ubuntu-22.04 steps: - name: Checkout Repo diff --git a/.github/workflows/style-check.yml b/.github/workflows/style-check.yml index a6a8bef91a..4dfb4340e2 100644 --- a/.github/workflows/style-check.yml +++ b/.github/workflows/style-check.yml @@ -5,7 +5,8 @@ on: [push, pull_request_target] jobs: eslint_check_upload: runs-on: ubuntu-latest - permissions: read-all + permissions: + contents: read name: ESLint Check and Report Upload steps: @@ -55,7 +56,8 @@ jobs: prettier_check: # In the forked PR, it's hard to format code and push to the branch directly, so the action only check the format correctness. if: github.event_name != 'push' && github.event.pull_request.head.repo.full_name != 'rrweb-io/rrweb' - permissions: read-all + permissions: + contents: read runs-on: ubuntu-latest name: Format Check steps: