dumplingmiku/ubicloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
enes/aws-runner-cache
ubicloud/.github/workflows/cla.yml
Enes Cakir de5411cbd4 Set workflow job permissions explicitly 
CodeQL has started scanning GitHub Actions workflows as well. It's not a
major issue, but it's good to follow best practices.

https://github.com/ubicloud/ubicloud/security/code-scanning/11

    Workflow does not contain permissions

    If a GitHub Actions job or workflow has no explicit permissions set,
    then the repository permissions are used. Repositories created under
    organizations inherit the organization permissions. The
    organizations or repositories created before February 2023 have the
    default permissions set to read-write. Often these permissions do
    not adhere to the principle of least privilege and can be reduced to
    read-only, leaving the write permission only to a specific types as
    issues: write or pull-requests: write.
2025-03-11 13:15:37 +03:00

31 lines
1.3 KiB
YAML
Raw Permalink Blame History

name: "CLA Assistant"
on:
issue_comment:
types: [created]
pull_request_target:
types: [opened,closed,synchronize]
permissions:
actions: write
contents: read
pull-requests: write
statuses: write
jobs:
CLAAssistant:
runs-on: ubicloud
steps:
- name: "CLA Assistant"
if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
uses: contributor-assistant/github-action@v2.6.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
with:
path-to-signatures: 'signatures/cla.json'
path-to-document: 'https://docs.google.com/document/d/1ymjqOk6fXhi-VxnV2qZEgI5ibX9gtg7Y/edit?usp=sharing&ouid=105153831332304232521&rtpof=true&sd=true' # e.g. a CLA or a DCO document
branch: 'main'
allowlist: byucesoy, enescakir, fdr, ozgune, pykello, umurc, velioglu, bot*
remote-organization-name: ubicloud
remote-repository-name: cla-signers
create-file-commit-message: 'Creating file for storing CLA Signatures'
signed-commit-message: '$contributorName has signed the CLA in $owner/$repo#$pullRequestNo'
Reference in New Issue View Git Blame Copy Permalink