CI: Add `permissions` to GitHub Actions

This change locks down the permissions of the access token in GitHub Actions to
only allow reading the repository contents and nothing else.

see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index de49f43438f23125d59e286e797bdecb85cc4542..61edaeb9ed6bc4536f3fc17f2feeab5ea8cdf2de 100644 (file)
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "0 0 * * 2"
 
+permissions:
+  contents: read
+
 jobs:
   codespell:
 

diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
index 9f2bec28964aaac9ab76f8aa4412b3516e303fe4..fe6c2711e51ffbb8a03d76ef13a5e2b600c63cdb 100644 (file)
--- a/.github/workflows/compliance.yml
+++ b/.github/workflows/compliance.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "0 0 * * 3"
 
+permissions:
+  contents: read
+
 jobs:
   h2spec:
     name: h2spec

diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml
index 53f6025ca1a927647afaf0e50fd72def109587ed..93387a458c4cbf724c360edd23d57f3d4d1b4e12 100644 (file)
--- a/.github/workflows/contrib.yml
+++ b/.github/workflows/contrib.yml
@@ -3,6 +3,9 @@ name: Contrib
 on:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   build:
 

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index fd5a0e2d2e32d84f3979a010e46421632f29891c..b3dd5ec526ad011b549f374bb05f8e789e86bfb8 100644 (file)
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -9,6 +9,9 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   scan:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/musl.yml b/.github/workflows/musl.yml
index 8f6922486c183c1cfecd3ea96cfc90b22470211f..19d82af7cf199245c847acffe08bd244a4f0d5fd 100644 (file)
--- a/.github/workflows/musl.yml
+++ b/.github/workflows/musl.yml
@@ -2,6 +2,9 @@ name: alpine/musl
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   musl:
       name: gcc

diff --git a/.github/workflows/openssl-nodeprecated.yml b/.github/workflows/openssl-nodeprecated.yml
index 6833911e46b3db0774eb8754d27e065dafcf15a1..f6da38234e5a4816821e6340cd87f298e502ca8d 100644 (file)
--- a/.github/workflows/openssl-nodeprecated.yml
+++ b/.github/workflows/openssl-nodeprecated.yml
@@ -14,6 +14,9 @@ on:
   schedule:
     - cron: "0 0 * * 4"
 
+permissions:
+  contents: read
+
 jobs:
   test:
 

diff --git a/.github/workflows/vtest.yml b/.github/workflows/vtest.yml
index 1dc216eeb85ca79523b78bc0aed02b83f2660e47..4cdbdce5b45aff68663be118e2d1aa971c16cd0f 100644 (file)
--- a/.github/workflows/vtest.yml
+++ b/.github/workflows/vtest.yml
@@ -11,6 +11,9 @@ name: VTest
 on:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   # The generate-matrix job generates the build matrix using JSON output
   # generated by .github/matrix.py.

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index b5a198aff44e3fc0685edd2fcab0c51f52302865..42bb4e8c927ffd3e81796a35521f7e473f2f3e13 100644 (file)
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -11,6 +11,9 @@ name: Windows
 on:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   msys2:
     name: ${{ matrix.name }}