Restrict permissions for GITHUB_TOKEN in our workflows

author Remi Gacogne <remi.gacogne@powerdns.com>

Thu, 1 Dec 2022 13:34:19 +0000 (14:34 +0100)

committer Alexis Romero <alexis.romero@open-xchange.com>

Wed, 8 Mar 2023 15:15:57 +0000 (16:15 +0100)
author Remi Gacogne <remi.gacogne@powerdns.com>
Thu, 1 Dec 2022 13:34:19 +0000 (14:34 +0100)
committer Alexis Romero <alexis.romero@open-xchange.com>
Wed, 8 Mar 2023 15:15:57 +0000 (16:15 +0100)
diff --git a/.github/workflows/build-and-test-all.yml b/.github/workflows/build-and-test-all.yml

index 5afd14cb0f90c6bf44f7ad8c697cc07a0920ed60..04f43273f0c041a47a0b14991fa417a38e16d039 100644 (file)
--- a/.github/workflows/build-and-test-all.yml
+++ b/.github/workflows/build-and-test-all.yml
@@ -7,6 +7,9 @@ on:
    schedule:
      - cron: '0 22 * * 3'
  
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
  jobs:
    build-auth:
      name: build auth
diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml

index 9056cfb91dba4c58e433547af202d7bee1d01223..4f7ca505792bf3ce848f97207dea4ef7922a22b7 100644 (file)
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -5,6 +5,9 @@ on:
    schedule:
      - cron: '0 1 * * *'
  
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
  jobs:
    build:
      name: build.sh
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml

index 6c25b36023a51a3ffe4caf45479d9e639831261a..dad3c1ed0815a372a01adbf4c5daf19488ae510b 100644 (file)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -6,11 +6,19 @@ on:
    schedule:
      - cron: '0 22 * * 2'
  
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
  jobs:
    analyze:
      name: Analyze
      runs-on: ubuntu-20.04
  
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
+
      strategy:
        fail-fast: false
        matrix:
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml

index dbc501d0b36bb9813d258504d899a6024bb13703..baf9f33b68f753fbe040121a9b4eac92bc4b9458 100644 (file)
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -5,6 +5,9 @@ on:
    schedule:
      - cron: '0 4 * * *'
  
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
  jobs:
    build:
      name: docker build
diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml

index 2b71e0a0983e8455a046ab0265d8466ac22e5012..852239281e8294b01b9db0112f0556e351a78b79 100644 (file)
--- a/.github/workflows/formatting.yml
+++ b/.github/workflows/formatting.yml
@@ -5,6 +5,9 @@ on:
    push:
    pull_request:
  
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
  jobs:
    build:
      name: verify formatting and Makefile.am sort order
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml

index 2fc954a5db2d29c1a6a2b0ecbdec75957e0ada91..c93ed0ef8769374afd8658ede15b5e582a0bbd92 100644 (file)
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -1,5 +1,9 @@
  name: CIFuzz
  on: [pull_request]
+
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
  jobs:
    Fuzzing:
      runs-on: ubuntu-20.04
diff --git a/.github/workflows/secpoll.yml b/.github/workflows/secpoll.yml

index c5ee41de904af7ce96dd0499695b233107ec0804..be08e63e6cb3819c071a89c4affe760cdd0cbf12 100644 (file)
--- a/.github/workflows/secpoll.yml
+++ b/.github/workflows/secpoll.yml
@@ -5,6 +5,9 @@ on:
    push:
    pull_request:
  
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
  jobs:
    build:
      name: check secpoll zone
diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml

index 7cf39614917a33a79262a2499de716fa56bc4e9a..c250cd1046a13d2a0effd1e88fd12b8b3d959063 100644 (file)
--- a/.github/workflows/spelling.yml
+++ b/.github/workflows/spelling.yml
@@ -4,6 +4,9 @@ on:
    push:
      branches: ''
  
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
  jobs:
    placeholder:
      name: Should be disabled
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Thu, 1 Dec 2022 13:34:19 +0000 (14:34 +0100)
committer	Alexis Romero <alexis.romero@open-xchange.com>
	Wed, 8 Mar 2023 15:15:57 +0000 (16:15 +0100)
.github/workflows/build-and-test-all.yml		patch \| blob \| blame \| history
.github/workflows/builder.yml		patch \| blob \| blame \| history
.github/workflows/codeql-analysis.yml		patch \| blob \| blame \| history
.github/workflows/docker.yml		patch \| blob \| blame \| history
.github/workflows/formatting.yml		patch \| blob \| blame \| history
.github/workflows/fuzz.yml		patch \| blob \| blame \| history
.github/workflows/secpoll.yml		patch \| blob \| blame \| history
.github/workflows/spelling.yml		patch \| blob \| blame \| history