ci: add GitHub token permissions for workflows (#47652)

varunsh-coder · web-flow · commit 25d1c176e763 · 2022-07-11T09:57:29.000-07:00
* ci: add GitHub token permissions for workflows

Signed-off-by: Varun Sharma &lt;varunsh@stepsecurity.io&gt;

* trim trailing whitespace

Signed-off-by: Varun Sharma &lt;varunsh@stepsecurity.io&gt;

* Update stale-pr.yml

Signed-off-by: Varun Sharma &lt;varunsh@stepsecurity.io&gt;
diff --git a/.github/workflows/32-bit-linux.yml b/.github/workflows/32-bit-linux.yml
@@ -12,6 +12,9 @@ on:
     paths-ignore:
       - "doc/**"
 
+permissions:
+  contents: read
+
 jobs:
   pytest:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/assign.yml b/.github/workflows/assign.yml
@@ -3,8 +3,14 @@ on:
   issue_comment:
     types: created
 
+permissions:
+  contents: read
+
 jobs:
   issue_assign:
+    permissions:
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - if: github.event.comment.body == 'take'
diff --git a/.github/workflows/asv-bot.yml b/.github/workflows/asv-bot.yml
@@ -9,8 +9,15 @@ env:
   ENV_FILE: environment.yml
   COMMENT: ${{github.event.comment.body}}
 
+permissions:
+  contents: read
+
 jobs:
   autotune:
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
     name: "Run benchmarks"
     # TODO: Support more benchmarking options later, against different branches, against self, etc
     if: startsWith(github.event.comment.body, '@github-actions benchmark')
diff --git a/.github/workflows/autoupdate-pre-commit-config.yml b/.github/workflows/autoupdate-pre-commit-config.yml
@@ -5,8 +5,14 @@ on:
     - cron: "0 7 1 * *" # At 07:00 on 1st of every month.
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update-pre-commit:
+    permissions:
+      contents: write  # for technote-space/create-pr-action to push code
+      pull-requests: write  # for technote-space/create-pr-action to create a PR
     if: github.repository_owner == 'pandas-dev'
     name: Autoupdate pre-commit config
     runs-on: ubuntu-latest
diff --git a/.github/workflows/code-checks.yml b/.github/workflows/code-checks.yml
@@ -14,6 +14,9 @@ env:
   ENV_FILE: environment.yml
   PANDAS_CI: 1
 
+permissions:
+  contents: read
+
 jobs:
   pre_commit:
     name: pre-commit
diff --git a/.github/workflows/docbuild-and-upload.yml b/.github/workflows/docbuild-and-upload.yml
@@ -14,6 +14,9 @@ env:
   ENV_FILE: environment.yml
   PANDAS_CI: 1
 
+permissions:
+  contents: read
+
 jobs:
   web_and_docs:
     name: Doc Build and Upload
diff --git a/.github/workflows/macos-windows.yml b/.github/workflows/macos-windows.yml
@@ -18,6 +18,9 @@ env:
   PATTERN: "not slow and not db and not network and not single_cpu"
 
 
+permissions:
+  contents: read
+
 jobs:
   pytest:
     defaults:
diff --git a/.github/workflows/python-dev.yml b/.github/workflows/python-dev.yml
@@ -27,6 +27,9 @@ env:
   COVERAGE: true
   PYTEST_TARGET: pandas
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: false # Comment this line out to "unfreeze"
diff --git a/.github/workflows/sdist.yml b/.github/workflows/sdist.yml
@@ -13,6 +13,9 @@ on:
     paths-ignore:
       - "doc/**"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: ${{ github.event.label.name == 'Build' || contains(github.event.pull_request.labels.*.name, 'Build') || github.event_name == 'push'}}
diff --git a/.github/workflows/stale-pr.yml b/.github/workflows/stale-pr.yml
@@ -4,8 +4,13 @@ on:
   # * is a special character in YAML so you have to quote this string
   - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/stale@v4
diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
@@ -15,6 +15,9 @@ on:
 env:
   PANDAS_CI: 1
 
+permissions:
+  contents: read
+
 jobs:
   pytest:
     runs-on: ubuntu-latest
