]> git.ipfire.org Git - thirdparty/pdns.git/commitdiff
Restrict permissions for GITHUB_TOKEN in our workflows 12343/head
authorRemi Gacogne <remi.gacogne@powerdns.com>
Thu, 1 Dec 2022 13:34:19 +0000 (14:34 +0100)
committerOtto Moerbeek <otto.moerbeek@open-xchange.com>
Tue, 20 Dec 2022 08:31:51 +0000 (09:31 +0100)
Added using https://github.com/step-security/secure-workflows
For more information see:
- https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#token-permissions
- https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/

(cherry picked from commit aff4e1eafa5bbc4e9ef6acee9d73b2154e0ab9b9)

.github/workflows/build-and-test-all.yml
.github/workflows/builder-dispatch.yml
.github/workflows/builder.yml
.github/workflows/codeql-analysis.yml
.github/workflows/docker.yml
.github/workflows/formatting.yml
.github/workflows/fuzz.yml

index 7cf156c9f39666eaa79970a715b834ab942b4a21..c5b7a36986ae52f82289c69e767e3bbe7ff9be96 100644 (file)
@@ -7,6 +7,9 @@ on:
   schedule:
     - cron: '0 22 * * 3'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   build-recursor:
     name: build recursor
index 0e6db3924d530d53920bfe1b48c75b286365c97a..f5d90c51fc50921d1b90cc567631d91bfb8356a0 100644 (file)
@@ -34,6 +34,9 @@ on:
         - 'NO'
         - 'YES'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   prepare:
     name: generate OS list
index fc6e23e28f34b49a74105733c678681a68e823e3..9ac0c1734d175ab3824ee2e68c47fb0c6810b434 100644 (file)
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: '0 1 * * *'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   build:
     name: build.sh
index 6fd588d4ff64737b6963791db56372494dec7cba..d3cc6c791aa26d0004dbc7367e1d318231ff4992 100644 (file)
@@ -6,11 +6,19 @@ on:
   schedule:
     - cron: '0 22 * * 2'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-20.04
 
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
+
     strategy:
       fail-fast: false
       matrix:
index 77ba6db45a3214ecb09b5d12ef333e09206b17ed..51ac091a5a3cc3bdd77ce2a20c023415ebff9375 100644 (file)
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: '0 4 * * *'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   build:
     name: docker build
index 38395c5e299320fa00ab3148250c4087a48c0c60..544ea37de0bfebf6ce0a7a2b1c4ceedefadef22b 100644 (file)
@@ -5,6 +5,9 @@ on:
   push:
   pull_request:
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   build:
     name: verify formatting and Makefile.am sort order
index c42bd8f93ea19711403b38c58d517efb6f0a1a8a..9b724f6616d8a92ca66a8c8681a15e8b691a1a40 100644 (file)
@@ -1,5 +1,9 @@
 name: CIFuzz
 on: [pull_request]
+
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-20.04