Skip to content

Add explicit permissions to all actions workflows #36140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
silverwind merged 2 commits into from
Dec 12, 2025
Merged

Add explicit permissions to all actions workflows #36140

silverwind merged 2 commits into from
Dec 12, 2025

Conversation

@silverwind
Copy link
Member

@silverwind silverwind commented Dec 12, 2025
edited
Loading

Explicitely specify all workflow permissions. This will fix 26 CodeQL alerts.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 12, 2025
@silverwind silverwind added the skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features. label Dec 12, 2025
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 12, 2025
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 12, 2025
@silverwind
Copy link
Member Author

silverwind commented Dec 12, 2025

The only change I'm a bit unsure about are the release actions, we should verify them after merge on master, but likely will be ok.

@silverwind silverwind added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Dec 12, 2025
@silverwind silverwind enabled auto-merge (squash) December 12, 2025 16:17
@silverwind silverwind merged commit 4c06c98 into go-gitea:main Dec 12, 2025
23 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Dec 12, 2025
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Dec 12, 2025
@silverwind silverwind mentioned this pull request Dec 12, 2025
Merged
techknowlogick pushed a commit that referenced this pull request Dec 12, 2025
@silverwind
Add permissions tofiles-changed jobs (#36142)
3e57ba5 
Followup to #36140.
`files-changed` is a job that imports another workflow via `uses`
statement but CodeQL still complains about lack of permissions on these
jobs, so add it. This will fix the remaining [3 CodeQL
issues](https://github.com/go-gitea/gitea/security/code-scanning?query=is%3Aopen+branch%3Amain+permissions).
@wxiaoguang wxiaoguang deleted the perms branch December 14, 2025 23:20
zjjhot added a commit to zjjhot/gitea that referenced this pull request Dec 15, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
df53846 
* giteaofficial/main:
  Remove undocumented support of signing key in the repository git configuration file (go-gitea#36143)
  Enable gocheckcompilerdirectives linter (go-gitea#36156)
  Fix code highlighting on blame page (go-gitea#36157)
  Check user visibility when redirecting to a renamed user (go-gitea#36148)
  Fix bug when viewing the commit diff page with non-ANSI files (go-gitea#36149)
  Refactor `FileTreeItem` type (go-gitea#36137)
  Fix various bugs (go-gitea#36139)
  Fix issue close timeline icon (go-gitea#36138)
  Add permissions to`files-changed` jobs (go-gitea#36142)
  Add explicit permissions to all actions workflows (go-gitea#36140)
  Bump `actions/checkout` to v6 (go-gitea#36136)
  Hide RSS icon when viewing a file not under a branch (go-gitea#36135)
  Fix SVG size calulation, only use `style` attribute (go-gitea#36133)
  Add sorting/filtering to admin user search API endpoint (go-gitea#36112)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@delvh delvh delvh approved these changes

+1 more reviewer

@TheFox0x7 TheFox0x7 TheFox0x7 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/internal skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features.

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

4 participants

@silverwind @TheFox0x7 @delvh @GiteaBot