feat(github): Force default permissions of GITHUB_TOKEN

DataDog · Aug 28, 2024 · 562ffc1 · 562ffc1
1 parent ea18bcf
commit 562ffc1
Show file tree

Hide file tree

Showing 21 changed files with 41 additions and 0 deletions.
diff --git a/.github/workflows/add_milestone.yml b/.github/workflows/add_milestone.yml
@@ -8,6 +8,8 @@ on:
       - main
       - "[0-9]+.[0-9]+.x"
 
+permissions: {}
+
 jobs:
   add-milestone-pr:
     name: Add Milestone on PR

diff --git a/.github/workflows/backport-pr.yml b/.github/workflows/backport-pr.yml
@@ -5,6 +5,8 @@ on:
       - closed
       - labeled
 
+permissions: {}
+
 jobs:
   backport:
     name: Backport PR

diff --git a/.github/workflows/buildimages-update.yml b/.github/workflows/buildimages-update.yml
@@ -24,6 +24,8 @@ on:
         required: true
         type: boolean
 
+permissions: {}
+
 jobs:
   open-go-update-pr:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/chase_release_managers.yml b/.github/workflows/chase_release_managers.yml
@@ -8,6 +8,7 @@ on:
         required: true
         type: string
 
+permissions: {}
 
 jobs:
   create_release_schedule:

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -10,6 +10,8 @@ on:
       - main
       - "[0-9]+.[0-9]+.x"
 
+permissions: {}
+
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/create_rc_pr.yml b/.github/workflows/create_rc_pr.yml
@@ -9,6 +9,8 @@ on:
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+permissions: {}
+
 jobs:
     find_release_branches:
         runs-on: ubuntu-latest

diff --git a/.github/workflows/create_release_schedule.yml b/.github/workflows/create_release_schedule.yml
@@ -12,6 +12,8 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 
 jobs:
   create_release_schedule:

diff --git a/.github/workflows/cws-btfhub-sync.yml b/.github/workflows/cws-btfhub-sync.yml
@@ -16,6 +16,8 @@ on:
   schedule:
     - cron: '30 4 * * 5' # at 4:30 UTC on Friday
 
+permissions: {}
+
 jobs:
   generate:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/datadog-static-analysis.yml b/.github/workflows/datadog-static-analysis.yml
@@ -2,6 +2,8 @@ on: [push]
 
 name: Datadog Static Analysis
 
+permissions: {}
+
 jobs:
   static-analysis:
     if: github.triggering_actor != 'dependabot[bot]'

diff --git a/.github/workflows/do-not-merge.yml b/.github/workflows/do-not-merge.yml
@@ -10,6 +10,8 @@ on:
     branches:
       - mq-working-branch-*
 
+permissions: {}
+
 jobs:
   do-not-merge:
     if: ${{ contains(github.event.*.labels.*.name, 'do-not-merge/hold') || contains(github.event.*.labels.*.name, 'do-not-merge/WIP') }}

diff --git a/.github/workflows/docs-dev.yml b/.github/workflows/docs-dev.yml
@@ -14,6 +14,8 @@ on:
     - docs/**
     - .github/workflows/docs-dev.yml
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' && true || false }}

diff --git a/.github/workflows/external-contributor.yml b/.github/workflows/external-contributor.yml
@@ -6,6 +6,8 @@ on:
   pull_request_target:
     types: [opened, reopened]
 
+permissions: {}
+
 jobs:
   external-contributor-prs:
     name: Handle Fork PRs

diff --git a/.github/workflows/go-update-commenter.yml b/.github/workflows/go-update-commenter.yml
@@ -5,6 +5,8 @@ on:
     # Only run on PR label events (in particular not on every commit)
     types: [ labeled ]
 
+permissions: {}
+
 jobs:
   old-versions-match:
     # Only run if the PR is labeled with 'go-update'

diff --git a/.github/workflows/gohai.yml b/.github/workflows/gohai.yml
@@ -12,6 +12,8 @@ on:
     paths:
       - "pkg/gohai/**"
 
+permissions: {}
+
 jobs:
   gohai_test:
     strategy:

diff --git a/.github/workflows/label-analysis.yml b/.github/workflows/label-analysis.yml
@@ -13,6 +13,8 @@ env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GH_REPO: ${{ github.repository }}
 
+permissions: {}
+
 jobs:
   assign-team-label:
     if: github.triggering_actor != 'dd-devflow[bot]'

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -6,6 +6,8 @@ on:
       - main
       - "[0-9]+.[0-9]+.x"
 
+permissions: {}
+
 jobs:
   label:
     permissions:

diff --git a/.github/workflows/markdown-lint-check.yml b/.github/workflows/markdown-lint-check.yml
@@ -3,6 +3,8 @@ name: Check Markdown links
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/serverless-benchmarks.yml b/.github/workflows/serverless-benchmarks.yml
@@ -14,6 +14,8 @@ concurrency:
   group: ${{ github.workflow }}/PR#${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   baseline:
     name: Baseline

diff --git a/.github/workflows/serverless-binary-size.yml b/.github/workflows/serverless-binary-size.yml
@@ -6,6 +6,8 @@ on:
 env:
   SIZE_ALLOWANCE: fromJSON(1000000) # 1 MB
 
+permissions: {}
+
 jobs:
   comment:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/serverless-integration.yml b/.github/workflows/serverless-integration.yml
@@ -12,6 +12,8 @@ on:
   schedule:
     - cron: '0 14 * * *' # cron schedule uses UTC timezone. Run tests at the beginning of the day in US-East
 
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/slapr.yml b/.github/workflows/slapr.yml
@@ -7,6 +7,8 @@
 #   pull_request:
 #     types: [closed]
 #
+# permissions: {}
+#
 # jobs:
 #   run_slapr_datadog_agent:
 #     runs-on: ubuntu-latest
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,6 +5,8 @@ on: @@
           - closed
           - labeled
+    permissions: {}
     jobs:
       backport:
         name: Backport PR
@@ Expand Down @@