Set read-only workflow tokens (#1958)

Fixes #1957.

This PR ensures all workflows run with minimal permissions, instead of
with `write-all` permissions. This will protect the project from
supply-chain attacks.

The change to codeql.yml is for consistency and future-proofing. Should
another job eventually be added to the workflow, it will run with just
`contents: read`.

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1d7b32e235a156e37acf7c5a036b469ac356b778..e2849b47ee177b36c6f1a551ee063e469c1a0cc0 100644 (file)
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,9 @@ name: CI
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   MacOS:
     runs-on: macos-13

diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index e5c60e4b0de2000a984a43362cf749b6bcd0419f..525b5e0207f183e8218032536a1066a0c3ca1f15 100644 (file)
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -1,5 +1,9 @@
 name: CIFuzz
 on: [pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 1f219fc695a0bf056d98c8aa0bf5860e92d37625..f0fbf0ef62b69c9f3a1d52718d02843ef2bf4f18 100644 (file)
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,5 +1,8 @@
 name: "CodeQL"
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ "master", "3.5" ]
@@ -14,7 +17,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       actions: read
-      contents: read
       security-events: write
 
     strategy: