From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 1 Dec 2022 13:34:19 +0000 (+0100)
Subject: Restrict permissions for GITHUB_TOKEN in our workflows
X-Git-Tag: dnsdist-1.8.0-rc1~201^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F12254%2Fhead;p=thirdparty%2Fpdns.git

Restrict permissions for GITHUB_TOKEN in our workflows

Added using https://github.com/step-security/secure-workflows
For more information see:
- https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#token-permissions
- https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
---

diff --git a/.github/workflows/build-and-test-all.yml b/.github/workflows/build-and-test-all.yml
index 2965ec12be..3c90ed7d2c 100644
--- a/.github/workflows/build-and-test-all.yml
+++ b/.github/workflows/build-and-test-all.yml
@@ -7,6 +7,9 @@ on:
   schedule:
     - cron: '0 22 * * 3'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   build-auth:
     name: build auth
diff --git a/.github/workflows/builder-dispatch.yml b/.github/workflows/builder-dispatch.yml
index fed8e9647c..b8122e89c2 100644
--- a/.github/workflows/builder-dispatch.yml
+++ b/.github/workflows/builder-dispatch.yml
@@ -34,6 +34,9 @@ on:
         - 'NO'
         - 'YES'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   prepare:
     name: generate OS list
diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
index b1a3e8116a..3807d5e30b 100644
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: '0 1 * * *'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   build:
     name: build.sh
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 6bd2846040..f74ce90486 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -6,11 +6,19 @@ on:
   schedule:
     - cron: '0 22 * * 2'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-20.04
 
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
+
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index d36ca3e8ad..98551c18a0 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: '0 4 * * *'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   build:
     name: docker build
diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
index 2b71e0a098..852239281e 100644
--- a/.github/workflows/formatting.yml
+++ b/.github/workflows/formatting.yml
@@ -5,6 +5,9 @@ on:
   push:
   pull_request:
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   build:
     name: verify formatting and Makefile.am sort order
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index 2fc954a5db..c93ed0ef87 100644
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -1,5 +1,9 @@
 name: CIFuzz
 on: [pull_request]
+
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/misc-dailies.yml b/.github/workflows/misc-dailies.yml
index 04771121c4..8159e831cb 100644
--- a/.github/workflows/misc-dailies.yml
+++ b/.github/workflows/misc-dailies.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '34 4 * * *'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   el7-devtoolset:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/secpoll.yml b/.github/workflows/secpoll.yml
index c5ee41de90..be08e63e6c 100644
--- a/.github/workflows/secpoll.yml
+++ b/.github/workflows/secpoll.yml
@@ -5,6 +5,9 @@ on:
   push:
   pull_request:
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   build:
     name: check secpoll zone
diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml
index 7cf3961491..c250cd1046 100644
--- a/.github/workflows/spelling.yml
+++ b/.github/workflows/spelling.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: ''
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   placeholder:
     name: Should be disabled