command-action: added scoped permissions to the github tokens (#5016)

This will ensure that malicious code can not access other parts of the project. Co-authored-by: Oliver Tale-Yazdi <oliver.tale-yazdi@parity.io> Co-authored-by: Bastian Köcher <git@kchr.de>

command-action: added scoped permissions to the github tokens (#5016)
This will ensure that malicious code can not access other parts of the project. Co-authored-by: Oliver Tale-Yazdi <oliver.tale-yazdi@parity.io> Co-authored-by: Bastian Köcher <git@kchr.de>
d8d36a09 · Javyer · GitHub · 8d392711 · d8d36a09 · d8d36a09
Unverified Commit d8d36a09 authored 8 months ago by Javyer Committed by GitHub 8 months ago
--- a/.github/workflows/command-bench-all.yml
+++ b/.github/workflows/command-bench-all.yml
@@ -66,6 +66,9 @@ jobs:
    runs-on: arc-runners-polkadot-sdk-weights
    container:
      image: ${{ needs.set-image.outputs.IMAGE }}
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
      - name: Download repo
        uses: actions/checkout@v4

--- a/.github/workflows/command-bench-overhead.yml
+++ b/.github/workflows/command-bench-overhead.yml
@@ -45,6 +45,9 @@ jobs:
    runs-on: arc-runners-polkadot-sdk-benchmark
    container:
      image: ${{ needs.set-image.outputs.IMAGE }}
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
      - name: Download repo
        uses: actions/checkout@v4

--- a/.github/workflows/command-bench.yml
+++ b/.github/workflows/command-bench.yml
@@ -91,6 +91,9 @@ jobs:
    runs-on: arc-runners-polkadot-sdk-benchmark
    container:
      image: ${{ needs.set-image.outputs.IMAGE }}
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
      - name: Download repo
        uses: actions/checkout@v4

--- a/.github/workflows/command-fmt.yml
+++ b/.github/workflows/command-fmt.yml
@@ -23,6 +23,9 @@ jobs:
    timeout-minutes: 20
    container:
      image: ${{ needs.set-image.outputs.IMAGE }}
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
      - name: Download repo
        uses: actions/checkout@v4

--- a/.github/workflows/command-sync.yml
+++ b/.github/workflows/command-sync.yml
@@ -38,6 +38,9 @@ jobs:
    runs-on: arc-runners-polkadot-sdk-warpsync
    container:
      image: ${{ needs.set-image.outputs.IMAGE }}
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
      - name: Download repo
        uses: actions/checkout@v4

--- a/.github/workflows/command-update-ui.yml
+++ b/.github/workflows/command-update-ui.yml
@@ -26,6 +26,9 @@ jobs:
    timeout-minutes: 90
    container:
      image: ${{ needs.set-image.outputs.IMAGE }}
+    permissions:
+      contents: write
+      pull-requests: write
    steps:
      - name: Download repo
        uses: actions/checkout@v4