From: Pedro Nacht Date: Mon, 4 Sep 2023 18:21:27 +0000 (-0300) Subject: Set read-only workflow tokens (#1958) X-Git-Tag: v3.7.2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a28aa1b6a4e26d2cf73efd213c95ee9453ff2b31;p=thirdparty%2Flibarchive.git Set read-only workflow tokens (#1958) Fixes #1957. This PR ensures all workflows run with minimal permissions, instead of with `write-all` permissions. This will protect the project from supply-chain attacks. The change to codeql.yml is for consistency and future-proofing. Should another job eventually be added to the workflow, it will run with just `contents: read`. Signed-off-by: Pedro Kaj Kjellerup Nacht --- diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1d7b32e23..e2849b47e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,9 @@ name: CI on: [push, pull_request] +permissions: + contents: read + jobs: MacOS: runs-on: macos-13 diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index e5c60e4b0..525b5e020 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -1,5 +1,9 @@ name: CIFuzz on: [pull_request] + +permissions: + contents: read + jobs: Fuzzing: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1f219fc69..f0fbf0ef6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,5 +1,8 @@ name: "CodeQL" +permissions: + contents: read + on: push: branches: [ "master", "3.5" ] @@ -14,7 +17,6 @@ jobs: runs-on: ubuntu-latest permissions: actions: read - contents: read security-events: write strategy: