From a28aa1b6a4e26d2cf73efd213c95ee9453ff2b31 Mon Sep 17 00:00:00 2001 From: Pedro Nacht Date: Mon, 4 Sep 2023 15:21:27 -0300 Subject: [PATCH] Set read-only workflow tokens (#1958) Fixes #1957. This PR ensures all workflows run with minimal permissions, instead of with `write-all` permissions. This will protect the project from supply-chain attacks. The change to codeql.yml is for consistency and future-proofing. Should another job eventually be added to the workflow, it will run with just `contents: read`. Signed-off-by: Pedro Kaj Kjellerup Nacht --- .github/workflows/ci.yml | 3 +++ .github/workflows/cifuzz.yml | 4 ++++ .github/workflows/codeql.yml | 4 +++- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1d7b32e23..e2849b47e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,9 @@ name: CI on: [push, pull_request] +permissions: + contents: read + jobs: MacOS: runs-on: macos-13 diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index e5c60e4b0..525b5e020 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -1,5 +1,9 @@ name: CIFuzz on: [pull_request] + +permissions: + contents: read + jobs: Fuzzing: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1f219fc69..f0fbf0ef6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,5 +1,8 @@ name: "CodeQL" +permissions: + contents: read + on: push: branches: [ "master", "3.5" ] @@ -14,7 +17,6 @@ jobs: runs-on: ubuntu-latest permissions: actions: read - contents: read security-events: write strategy: -- 2.47.2