From e104e3751d3bab4bf94d00bb85c62210f8dd473c Mon Sep 17 00:00:00 2001 From: Jesse Seales Date: Wed, 4 May 2022 14:13:11 -0400 Subject: [PATCH 1/2] resolve token-permissions security alerts --- .github/workflows/mirror.yml | 3 +++ .github/workflows/pull_request_label.yml | 3 +++ .github/workflows/release.yml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index 9026643d7b2e..9cfaf20d6cf0 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -7,6 +7,9 @@ on: push: branches: - 'main' + +# Declare default permissions as read only. +permissions: read-all jobs: mirror_job: diff --git a/.github/workflows/pull_request_label.yml b/.github/workflows/pull_request_label.yml index 825a3afd8508..686add6de3cf 100644 --- a/.github/workflows/pull_request_label.yml +++ b/.github/workflows/pull_request_label.yml @@ -12,6 +12,9 @@ on: pull_request_target: types: [opened, synchronize, reopened, closed] +# Declare default permissions as read only. +permissions: read-al + jobs: label: permissions: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1bf50a0d1dfc..a67f8f1575e4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,9 @@ on: branches: - main +# Declare default permissions as read only. +permissions: read-all + jobs: release: if: github.repository_owner == 'flutter' From 91dc92b0203958bae2d602c7ee9afb37b040ed91 Mon Sep 17 00:00:00 2001 From: Jesse Seales Date: Wed, 4 May 2022 14:19:19 -0400 Subject: [PATCH 2/2] typo --- .github/workflows/pull_request_label.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull_request_label.yml b/.github/workflows/pull_request_label.yml index 686add6de3cf..54cae2deca98 100644 --- a/.github/workflows/pull_request_label.yml +++ b/.github/workflows/pull_request_label.yml @@ -13,7 +13,7 @@ on: types: [opened, synchronize, reopened, closed] # Declare default permissions as read only. -permissions: read-al +permissions: read-all jobs: label: