From: Remi Gacogne Date: Thu, 1 Dec 2022 13:34:19 +0000 (+0100) Subject: Restrict permissions for GITHUB_TOKEN in our workflows X-Git-Tag: auth-4.7.4~8^2~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba54abeb2724bc9838d648bd611cade81a0efa76;p=thirdparty%2Fpdns.git Restrict permissions for GITHUB_TOKEN in our workflows Added using https://github.com/step-security/secure-workflows For more information see: - https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#token-permissions - https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ --- diff --git a/.github/workflows/build-and-test-all.yml b/.github/workflows/build-and-test-all.yml index b05565eaf9..097a217992 100644 --- a/.github/workflows/build-and-test-all.yml +++ b/.github/workflows/build-and-test-all.yml @@ -7,6 +7,9 @@ on: schedule: - cron: '0 22 * * 3' +permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + contents: read + jobs: build-auth: name: build auth diff --git a/.github/workflows/builder-dispatch.yml b/.github/workflows/builder-dispatch.yml index 4232c15609..e7187443e3 100644 --- a/.github/workflows/builder-dispatch.yml +++ b/.github/workflows/builder-dispatch.yml @@ -13,6 +13,9 @@ on: description: OS to build for type: string +permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + contents: read + jobs: build: name: build ${{ github.event.inputs.product }} for ${{ github.event.inputs.os }} diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml index 9c5caa4d07..e57468f482 100644 --- a/.github/workflows/builder.yml +++ b/.github/workflows/builder.yml @@ -5,6 +5,9 @@ on: schedule: - cron: '0 1 * * *' +permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + contents: read + jobs: build: name: build.sh diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 31824d50c2..f904d05428 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,11 +6,19 @@ on: schedule: - cron: '0 22 * * 2' +permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + contents: read + jobs: analyze: name: Analyze runs-on: ubuntu-20.04 + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/analyze to upload SARIF results + strategy: fail-fast: false matrix: diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index b4e8e491be..c21a5d8363 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -5,6 +5,9 @@ on: schedule: - cron: '0 4 * * *' +permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + contents: read + jobs: build: name: docker build diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml index 38395c5e29..544ea37de0 100644 --- a/.github/workflows/formatting.yml +++ b/.github/workflows/formatting.yml @@ -5,6 +5,9 @@ on: push: pull_request: +permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + contents: read + jobs: build: name: verify formatting and Makefile.am sort order diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index c42bd8f93e..9b724f6616 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -1,5 +1,9 @@ name: CIFuzz on: [pull_request] + +permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions + contents: read + jobs: Fuzzing: runs-on: ubuntu-20.04