From 61d335fd865b11b0c94d25171d8296e3d18344fa Mon Sep 17 00:00:00 2001 From: Daniel Gibbs Date: Mon, 9 Feb 2026 15:40:20 +0000 Subject: [PATCH] Adds explicit permissions to workflows Specifies explicit permissions for GitHub Actions workflows to enhance security and control access to resources. This ensures that each workflow only has the necessary permissions, following the principle of least privilege. --- .github/workflows/add-to-project.yml | 2 ++ .github/workflows/details-check.yml | 3 +++ .github/workflows/git-sync.yml | 2 ++ .github/workflows/potential-duplicates.yml | 4 ++++ .github/workflows/serverlist-validate.yml | 3 +++ .github/workflows/trigger-docker-build.yml | 2 ++ .github/workflows/update-check.yml | 2 ++ .github/workflows/update-copyright-years-in-license-file.yml | 4 ++++ 8 files changed, 22 insertions(+) diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index e0b06990f..e96336264 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -5,6 +5,8 @@ on: - opened - labeled +permissions: {} + jobs: add-to-project: if: github.repository_owner == 'GameServerManagers' diff --git a/.github/workflows/details-check.yml b/.github/workflows/details-check.yml index f52d12c5a..7916b9aae 100644 --- a/.github/workflows/details-check.yml +++ b/.github/workflows/details-check.yml @@ -6,6 +6,9 @@ on: branches: - develop +permissions: + contents: read + concurrency: group: details-check-${{ github.ref_name }} cancel-in-progress: true diff --git a/.github/workflows/git-sync.yml b/.github/workflows/git-sync.yml index 544ba6892..42c660d9b 100644 --- a/.github/workflows/git-sync.yml +++ b/.github/workflows/git-sync.yml @@ -7,6 +7,8 @@ on: - master - develop +permissions: {} + jobs: gitHub-to-bitbucket: if: github.repository_owner == 'GameServerManagers' diff --git a/.github/workflows/potential-duplicates.yml b/.github/workflows/potential-duplicates.yml index ea0ba23fd..39a3189d8 100644 --- a/.github/workflows/potential-duplicates.yml +++ b/.github/workflows/potential-duplicates.yml @@ -3,6 +3,10 @@ on: issues: types: - opened + +permissions: + issues: write + jobs: potential-duplicates: if: github.repository_owner == 'GameServerManagers' diff --git a/.github/workflows/serverlist-validate.yml b/.github/workflows/serverlist-validate.yml index f4a95a039..c2605b062 100644 --- a/.github/workflows/serverlist-validate.yml +++ b/.github/workflows/serverlist-validate.yml @@ -3,6 +3,9 @@ on: workflow_dispatch: push: +permissions: + contents: read + jobs: serverlist-validate: if: github.repository_owner == 'GameServerManagers' diff --git a/.github/workflows/trigger-docker-build.yml b/.github/workflows/trigger-docker-build.yml index ab37c882d..390123322 100644 --- a/.github/workflows/trigger-docker-build.yml +++ b/.github/workflows/trigger-docker-build.yml @@ -6,6 +6,8 @@ on: types: - published +permissions: {} + jobs: trigger_build_docker-linuxgsm: if: github.repository_owner == 'GameServerManagers' diff --git a/.github/workflows/update-check.yml b/.github/workflows/update-check.yml index 2f2f7babc..e1f4bb615 100644 --- a/.github/workflows/update-check.yml +++ b/.github/workflows/update-check.yml @@ -6,6 +6,8 @@ on: branches: - develop +permissions: {} + concurrency: group: update-check-${{ github.ref_name }} cancel-in-progress: true diff --git a/.github/workflows/update-copyright-years-in-license-file.yml b/.github/workflows/update-copyright-years-in-license-file.yml index 3301c9cb7..1123b8cce 100644 --- a/.github/workflows/update-copyright-years-in-license-file.yml +++ b/.github/workflows/update-copyright-years-in-license-file.yml @@ -4,6 +4,10 @@ on: schedule: - cron: "0 3 1 1 *" # 03:00 AM on January 1 +permissions: + contents: write + pull-requests: write + jobs: update-license-year: if: github.repository_owner == 'GameServerManagers'