securing github actions (#243)

jjo · web-flow · commit 5a8f3d6aa89b · 2025-04-28T16:29:48.000-03:00
Securing GH actions as followup from [the incident on April 26th 2025](https://grafana.com/blog/2025/04/27/grafana-security-update-no-customer-impact-from-github-workflow-vulnerability/). -- Signed-off-by: JuanJo Ciarlante <juanjosec@gmail.com>
diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml
@@ -7,11 +7,15 @@ on:
 jobs:
   publish-docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pages: write
 
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: actions/setup-python@v5
 
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -9,9 +9,13 @@ env:
 jobs:
   tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install jsonnet
         run: |
