From 15396bf0ead6781365b09ea761b213b6996d48bd Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 1 Dec 2022 14:34:19 +0100
Subject: [PATCH] Restrict permissions for GITHUB_TOKEN in our workflows

Added using https://github.com/step-security/secure-workflows
For more information see:
- https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#token-permissions
- https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/

(cherry picked from commit aff4e1eafa5bbc4e9ef6acee9d73b2154e0ab9b9)
---
 .github/workflows/build-and-test-all.yml | 3 +++
 .github/workflows/builder-dispatch.yml   | 3 +++
 .github/workflows/builder.yml            | 3 +++
 .github/workflows/codeql-analysis.yml    | 8 ++++++++
 .github/workflows/docker.yml             | 3 +++
 .github/workflows/formatting.yml         | 3 +++
 .github/workflows/fuzz.yml               | 4 ++++
 7 files changed, 27 insertions(+)

diff --git a/.github/workflows/build-and-test-all.yml b/.github/workflows/build-and-test-all.yml
index 7cf156c9f3..c5b7a36986 100644
--- a/.github/workflows/build-and-test-all.yml
+++ b/.github/workflows/build-and-test-all.yml
@@ -7,6 +7,9 @@ on:
   schedule:
     - cron: '0 22 * * 3'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   build-recursor:
     name: build recursor
diff --git a/.github/workflows/builder-dispatch.yml b/.github/workflows/builder-dispatch.yml
index 0e6db3924d..f5d90c51fc 100644
--- a/.github/workflows/builder-dispatch.yml
+++ b/.github/workflows/builder-dispatch.yml
@@ -34,6 +34,9 @@ on:
         - 'NO'
         - 'YES'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   prepare:
     name: generate OS list
diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
index fc6e23e28f..9ac0c1734d 100644
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: '0 1 * * *'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   build:
     name: build.sh
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 6fd588d4ff..d3cc6c791a 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -6,11 +6,19 @@ on:
   schedule:
     - cron: '0 22 * * 2'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-20.04
 
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
+
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 77ba6db45a..51ac091a5a 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: '0 4 * * *'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   build:
     name: docker build
diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
index 38395c5e29..544ea37de0 100644
--- a/.github/workflows/formatting.yml
+++ b/.github/workflows/formatting.yml
@@ -5,6 +5,9 @@ on:
   push:
   pull_request:
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   build:
     name: verify formatting and Makefile.am sort order
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index c42bd8f93e..9b724f6616 100644
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -1,5 +1,9 @@
 name: CIFuzz
 on: [pull_request]
+
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-20.04
-- 
2.47.2