ci(build): improve security posture

* Limit unnecessary permissions. * Avoid storing credentials.
2026-03-20 04:55:20 -05:00 · 2024-03-25 14:26:35 -04:00
parent 0bea7832e9
commit 7c9477be6e
1 changed files with 10 additions and 0 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,6 +12,8 @@ on:
  schedule:
    - cron: "22 4 * * *"

+permissions: {}
+
 jobs:
  build:
    if: ${{ always() }}
@@ -25,6 +27,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
      - name: Cache west modules
        uses: actions/cache@v4
        env:
@@ -179,6 +183,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
      - name: Use Node.js
        uses: actions/setup-node@v4
        with:
@@ -335,6 +341,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
      - name: Use Node.js
        uses: actions/setup-node@v4
        with:
@@ -415,6 +423,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
      - uses: tj-actions/changed-files@v44
        id: changed-files
        with: