]> git.ipfire.org Git - thirdparty/lxc.git/commitdiff
projects / thirdparty / lxc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 099bd13)
chore: Set permissions for GitHub actions 4136/head
authorneilnaveen <42328488+neilnaveen@users.noreply.github.com>
Wed, 8 Jun 2022 01:08:12 +0000 (01:08 +0000)
committerneilnaveen <42328488+neilnaveen@users.noreply.github.com>
Wed, 8 Jun 2022 01:08:12 +0000 (01:08 +0000)
 Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
.github/workflows/build.yml patch | blob | blame | history
.github/workflows/coverity.yml patch | blob | blame | history
.github/workflows/sanitizers.yml patch | blob | blame | history
.github/workflows/static-analysis.yml patch | blob | blame | history

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 291fa58223a0de7e7b1ae2b84e69ed1c5ad61546..be62af3f212b5b22040becf97393f7d2fa4dd878 100644 (file)
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,6 +2,9 @@ name: Simple test build
 on:
   - push
   - pull_request
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 9ea82a3509b4fc3d3e590da5d2c3c7c1f53dc47b..0fc981726eef9e18de3cf5bdb0e0eccc2c506510 100644 (file)
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - master
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/sanitizers.yml b/.github/workflows/sanitizers.yml
index 76339e19c957664f56008ea9a2d9743c381482fb..dad5c11d77a2d7b1c74e98c3c4a6ddec73b019d1 100644 (file)
--- a/.github/workflows/sanitizers.yml
+++ b/.github/workflows/sanitizers.yml
@@ -2,6 +2,9 @@ name: Sanitizers build
 on:
   - push
   - pull_request
+permissions:
+  contents: read
+
 jobs:
   sanitizers:
     strategy:
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
index 0317559ad8621a27c062d637b028e6cafb3db826..4144371e27028d00eb8b6645472bc35fa4aa76c9 100644 (file)
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -2,6 +2,9 @@ name: Static analysis
 on:
   - push
   - pull_request
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-18.04
Mirror of https://github.com/lxc/lxc.git