From 950dfa1ecfdbbb9ae8c6cf62ce1449453090bab5 Mon Sep 17 00:00:00 2001 From: neilnaveen <42328488+neilnaveen@users.noreply.github.com> Date: Fri, 3 Jun 2022 01:08:38 +0000 Subject: [PATCH] chore: Set permissions for GitHub actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com> --- .github/workflows/ci-bionic.yml | 3 +++ .github/workflows/ci-bullseye.yml | 3 +++ .github/workflows/ci-buster.yml | 3 +++ .github/workflows/ci-centos-7.yml | 3 +++ .github/workflows/ci-centos-8.yml | 3 +++ .github/workflows/ci-eslint.yml | 3 +++ .github/workflows/ci-stretch.yml | 3 +++ .github/workflows/codeql-analysis.yml | 7 +++++++ 8 files changed, 28 insertions(+) diff --git a/.github/workflows/ci-bionic.yml b/.github/workflows/ci-bionic.yml index 4718f34f0..a8df52549 100644 --- a/.github/workflows/ci-bionic.yml +++ b/.github/workflows/ci-bionic.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: defaults: diff --git a/.github/workflows/ci-bullseye.yml b/.github/workflows/ci-bullseye.yml index 3d34e77ff..eb0b7a7ce 100644 --- a/.github/workflows/ci-bullseye.yml +++ b/.github/workflows/ci-bullseye.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: defaults: diff --git a/.github/workflows/ci-buster.yml b/.github/workflows/ci-buster.yml index 66f263835..af7e7f94a 100644 --- a/.github/workflows/ci-buster.yml +++ b/.github/workflows/ci-buster.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: defaults: diff --git a/.github/workflows/ci-centos-7.yml b/.github/workflows/ci-centos-7.yml index 986b7815b..1b3566685 100644 --- a/.github/workflows/ci-centos-7.yml +++ b/.github/workflows/ci-centos-7.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: strategy: diff --git a/.github/workflows/ci-centos-8.yml b/.github/workflows/ci-centos-8.yml index 8ad222793..68e8c4284 100644 --- a/.github/workflows/ci-centos-8.yml +++ b/.github/workflows/ci-centos-8.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: strategy: diff --git a/.github/workflows/ci-eslint.yml b/.github/workflows/ci-eslint.yml index dce24c367..d8ba1c49f 100644 --- a/.github/workflows/ci-eslint.yml +++ b/.github/workflows/ci-eslint.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: eslint: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-stretch.yml b/.github/workflows/ci-stretch.yml index 8e30da10a..2849aa1c9 100644 --- a/.github/workflows/ci-stretch.yml +++ b/.github/workflows/ci-stretch.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: defaults: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 1de9e3bc9..5a8cfa099 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,8 +14,15 @@ on: schedule: - cron: '0 3 * * 5' +permissions: + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze runs-on: ubuntu-latest