explicitely set minimial workflow permissions

https://docs.zizmor.sh/audits/#excessive-permissions

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28982)

diff --git a/.github/workflows/deploy-docs-openssl-org.yml b/.github/workflows/deploy-docs-openssl-org.yml
index 5554f07a4290600bf9758c40e92b78e4aa9b10af..e71b1f1539773f5fad548507c5afdef583a57989 100644 (file)
--- a/.github/workflows/deploy-docs-openssl-org.yml
+++ b/.github/workflows/deploy-docs-openssl-org.yml
@@ -8,6 +8,8 @@ on:
     paths:
       - "doc/man*/**"
 
+permissions: {}
+
 jobs:
   trigger:
     if: github.repository == 'openssl/openssl'

diff --git a/.github/workflows/interop-tests.yml b/.github/workflows/interop-tests.yml
index c34a6853b59536895586135a2ea343b6007fabde..723eb122dff6a41d46571a95b1bdf80b73b82f0c 100644 (file)
--- a/.github/workflows/interop-tests.yml
+++ b/.github/workflows/interop-tests.yml
@@ -9,6 +9,8 @@ on:
     - cron: '55 02 * * *'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   test:
     if: github.repository == 'openssl/openssl'

diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml
index 6c3d453c81e62206e6f09999355eac2ee4e35f63..038ffad8774846be41a1e8f4305db5472773e15b 100644 (file)
--- a/.github/workflows/make-release.yml
+++ b/.github/workflows/make-release.yml
@@ -12,6 +12,8 @@ on:
     tags:
       - "openssl-*"
 
+permissions: {}
+
 jobs:
   release:
     runs-on: "releaser"