From 4cb6984a6591b63d3870e3a7e8b7351794f0166e Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Thu, 29 Sep 2022 18:41:33 +0300
Subject: [PATCH 1/5] GitHub Workflows security hardening (#10456)

* build: harden lock.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden stale.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden ci.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/ci.yml    | 2 ++
 .github/workflows/lock.yml  | 5 +++++
 .github/workflows/stale.yml | 5 +++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 67f5028cd..9431863b7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,7 @@
 name: CI
 on: [push, pull_request]
+permissions:
+  contents: read # to fetch code (actions/checkout)
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index 9df4bc441..b928fc128 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -5,8 +5,13 @@ on:
   schedule:
     - cron: '0 3 * * *'
 
+permissions: {}
 jobs:
   lock:
+    permissions:
+      issues: write # to lock issues (dessant/lock-threads)
+      pull-requests: write # to lock PRs (dessant/lock-threads)
+
     runs-on: ubuntu-latest
     steps:
       - uses: dessant/lock-threads@v3
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 57666417a..1df1c7044 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,8 +4,13 @@ on:
   schedule:
     - cron: '0 4 * * *'
 
+permissions: {}
 jobs:
   stale:
+    permissions:
+      issues: write # to close stale issues (actions/stale)
+      pull-requests: write # to close stale PRs (actions/stale)
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@v5

From 309a70df8908b354cb6634071913878dd1aea4e1 Mon Sep 17 00:00:00 2001
From: jeremystretch <jstretch@ns1.com>
Date: Thu, 29 Sep 2022 11:59:15 -0400
Subject: [PATCH 2/5] Tweak workflow permissions

---
 .github/workflows/lock.yml  | 5 ++---
 .github/workflows/stale.yml | 5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index b928fc128..4f73f66f0 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -5,12 +5,11 @@ on:
   schedule:
     - cron: '0 3 * * *'
 
-permissions: {}
 jobs:
   lock:
     permissions:
-      issues: write # to lock issues (dessant/lock-threads)
-      pull-requests: write # to lock PRs (dessant/lock-threads)
+      issues: write
+      pull-requests: write
 
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 1df1c7044..70a2511c8 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,12 +4,11 @@ on:
   schedule:
     - cron: '0 4 * * *'
 
-permissions: {}
 jobs:
   stale:
     permissions:
-      issues: write # to close stale issues (actions/stale)
-      pull-requests: write # to close stale PRs (actions/stale)
+      issues: write
+      pull-requests: write
 
     runs-on: ubuntu-latest
     steps:

From cbbfcd0e7b9acba46dbaa725fd7bd02366aa1303 Mon Sep 17 00:00:00 2001
From: jeremystretch <jstretch@ns1.com>
Date: Thu, 29 Sep 2022 12:00:44 -0400
Subject: [PATCH 3/5] Bump stale to v6

---
 .github/workflows/stale.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 70a2511c8..cbc8d8b87 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -12,7 +12,7 @@ jobs:
 
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v5
+      - uses: actions/stale@v6
         with:
           close-issue-message: >
             This issue has been automatically closed due to lack of activity. In an

From 04738587e80ca0cc9ecdf3a833c9af555877e902 Mon Sep 17 00:00:00 2001
From: jeremystretch <jstretch@ns1.com>
Date: Thu, 29 Sep 2022 12:17:10 -0400
Subject: [PATCH 4/5] Move permissions block to root

---
 .github/workflows/lock.yml  | 9 ++++-----
 .github/workflows/stale.yml | 8 +++++---
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index 4f73f66f0..a53cf728c 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -5,17 +5,16 @@ on:
   schedule:
     - cron: '0 3 * * *'
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   lock:
-    permissions:
-      issues: write
-      pull-requests: write
-
     runs-on: ubuntu-latest
     steps:
       - uses: dessant/lock-threads@v3
         with:
-          github-token: ${{ github.token }}
           issue-inactive-days: 90
           pr-inactive-days: 30
           issue-lock-reason: 'resolved'
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index cbc8d8b87..68e475f24 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,14 +1,16 @@
 # close-stale-issues (https://github.com/marketplace/actions/close-stale-issues)
 name: 'Close stale issues/PRs'
+
 on:
   schedule:
     - cron: '0 4 * * *'
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
-    permissions:
-      issues: write
-      pull-requests: write
 
     runs-on: ubuntu-latest
     steps:

From 62820ea2b8fc4d61f2e68390520d72bccdfff53e Mon Sep 17 00:00:00 2001
From: jeremystretch <jstretch@ns1.com>
Date: Thu, 29 Sep 2022 12:36:10 -0400
Subject: [PATCH 5/5] Add workflow_dispatch event

---
 .github/workflows/ci.yml    | 2 +-
 .github/workflows/lock.yml  | 1 +
 .github/workflows/stale.yml | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9431863b7..d75f98fbc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,7 +1,7 @@
 name: CI
 on: [push, pull_request]
 permissions:
-  contents: read # to fetch code (actions/checkout)
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index a53cf728c..6019cef5d 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -4,6 +4,7 @@ name: 'Lock threads'
 on:
   schedule:
     - cron: '0 3 * * *'
+  workflow_dispatch:
 
 permissions:
   issues: write
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 68e475f24..ab259af2a 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,6 +4,7 @@ name: 'Close stale issues/PRs'
 on:
   schedule:
     - cron: '0 4 * * *'
+  workflow_dispatch:
 
 permissions:
   issues: write