From b8910f1b21ce511fceadd0efa997dc72c93f3a77 Mon Sep 17 00:00:00 2001 From: Matthew Kilgore Date: Sat, 27 Dec 2025 19:09:27 -0500 Subject: [PATCH] This should wipe out action related security flags --- .github/workflows/e2e-partial.yaml | 6 ++++++ .github/workflows/issue-gatekeeper.yml | 6 +++++- .github/workflows/partial-backend.yaml | 6 ++++++ .github/workflows/partial-frontend.yaml | 6 ++++++ .github/workflows/pull-requests.yaml | 6 ++++++ 5 files changed, 29 insertions(+), 1 deletion(-) diff --git a/.github/workflows/e2e-partial.yaml b/.github/workflows/e2e-partial.yaml index 4a1d18da..8da98630 100644 --- a/.github/workflows/e2e-partial.yaml +++ b/.github/workflows/e2e-partial.yaml @@ -1,5 +1,11 @@ name: E2E (Playwright) +permissions: + contents: read + actions: read + checks: write + pull-requests: write + on: workflow_call: diff --git a/.github/workflows/issue-gatekeeper.yml b/.github/workflows/issue-gatekeeper.yml index 18885653..56717a31 100644 --- a/.github/workflows/issue-gatekeeper.yml +++ b/.github/workflows/issue-gatekeeper.yml @@ -1,4 +1,8 @@ name: Issue Gatekeeper + +permissions: + issues: write + on: issues: types: [ opened ] @@ -8,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Verify Internal Template Use - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | const { owner, repo } = context.repo; diff --git a/.github/workflows/partial-backend.yaml b/.github/workflows/partial-backend.yaml index 246cdfb4..ac7efaf3 100644 --- a/.github/workflows/partial-backend.yaml +++ b/.github/workflows/partial-backend.yaml @@ -1,5 +1,11 @@ name: Go Build/Test +permissions: + contents: read + actions: read + checks: write + pull-requests: write + on: workflow_call: diff --git a/.github/workflows/partial-frontend.yaml b/.github/workflows/partial-frontend.yaml index 1b20c299..a06887da 100644 --- a/.github/workflows/partial-frontend.yaml +++ b/.github/workflows/partial-frontend.yaml @@ -1,5 +1,11 @@ name: Frontend +permissions: + contents: read + actions: read + checks: write + pull-requests: write + on: workflow_call: diff --git a/.github/workflows/pull-requests.yaml b/.github/workflows/pull-requests.yaml index fe4fe37b..bb8dff25 100644 --- a/.github/workflows/pull-requests.yaml +++ b/.github/workflows/pull-requests.yaml @@ -1,5 +1,11 @@ name: Pull Request CI +permissions: + contents: read + actions: read + checks: write + pull-requests: write + on: pull_request: branches: