GHA: clarify workflows permissions, set least possible privilege

Set top-level permissions to None on all workflows, setting per-job
permissions. This avoids that new jobs inherit unwanted permissions.

Discussion: https://curl.se/mail/lib-2022-11/0028.html

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Closes #9928

diff --git a/.github/workflows/appveyor-status.yml b/.github/workflows/appveyor-status.yml
index 8202a7a76c050d6239c89d26869572f2818c3cb4..f2bdc32cdfe7e04b6122dd5cb3f7eb269ea54f58 100644 (file)
--- a/.github/workflows/appveyor-status.yml
+++ b/.github/workflows/appveyor-status.yml
@@ -11,13 +11,14 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.sha }}-${{ github.event.target_url }}\r
   cancel-in-progress: true\r
 \r
-permissions:\r
-  statuses: write\r
+permissions: {}\r
 \r
 jobs:\r
   split:\r
     runs-on: ubuntu-latest\r
     if: ${{ github.event.sender.login == 'appveyor[bot]' }}\r
+    permissions:\r
+      statuses: write\r
     steps:\r
       - name: Create individual AppVeyor build statuses\r
         if: ${{ github.event.sha && github.event.target_url }}\r

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 1d2792242af692046a0823c7de4ddd4c8f2d5124..674d1a5c98860d0df7fa6ae007a264315ffccbfb 100644 (file)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -18,12 +18,13 @@ on:
 concurrency:
   group: ${{ github.workflow }}
 
-permissions:
-  security-events: write
+permissions: {}
 
 jobs:
   codeql:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
     - name: Checkout repository
       uses: actions/checkout@v3

diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index ca07fa699b1fbba0fb2607331e671c8d052ce75c..5a105307cb580c2962fa9253bb8e0fc4c4d83951 100644 (file)
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -17,6 +17,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   fuzzing:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/hacktoberfest-accepted.yml b/.github/workflows/hacktoberfest-accepted.yml
index 59aca121888c959f0e089d4901c2c668f30ab12e..5a326539ff504ee1c07ef393173f2c77060a1717 100644 (file)
--- a/.github/workflows/hacktoberfest-accepted.yml
+++ b/.github/workflows/hacktoberfest-accepted.yml
@@ -14,16 +14,17 @@ concurrency:
   # this should not run in parallel, so just run one at a time
   group: ${{ github.workflow }}
 
-permissions:
-  # requires issues AND pull-requests write permissions to edit labels on PRs!
-  issues: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   # add hacktoberfest-accepted label to PRs opened starting from September 30th
   # till November 1st which are closed via commit reference from master branch.
   merged:
     runs-on: ubuntu-latest
+    permissions:
+      # requires issues AND pull-requests write permissions to edit labels on PRs!
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v3
         with:

diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml
index 9ee7f04e10da93928f5cab519da8f3db4a24b718..295384afb1b97089776144e42226e6666f6d9199 100644 (file)
--- a/.github/workflows/linkcheck.yml
+++ b/.github/workflows/linkcheck.yml
@@ -23,6 +23,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   # Docs: https://github.com/marketplace/actions/markdown-link-check
   check:

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 4574548206682c153e4d14ec5903b8634d993d25..92fed1ff717cb5b7c51a6cca8cf5404426c4273a 100644 (file)
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -17,6 +17,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index ac391615d258841c71bafcd9b5bd472eff6aa867..4d4847fd07bf547d1e6f15f9ae9751c0364ef218 100644 (file)
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -17,6 +17,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}

diff --git a/.github/workflows/ngtcp2-gnutls.yml b/.github/workflows/ngtcp2-gnutls.yml
index bec3851ba02bec700d3b641db85dd6114762e2af..96e21a49bc5dc0db55a468ddaa6c8b5f68e94383 100644 (file)
--- a/.github/workflows/ngtcp2-gnutls.yml
+++ b/.github/workflows/ngtcp2-gnutls.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ngtcp2-gnutls-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}

diff --git a/.github/workflows/ngtcp2-wolfssl.yml b/.github/workflows/ngtcp2-wolfssl.yml
index e3d263c006ef1d8d98d0035f290786300caa0ac4..15de87ae7f7ccaaa29bd179b8a1c780ea721a296 100644 (file)
--- a/.github/workflows/ngtcp2-wolfssl.yml
+++ b/.github/workflows/ngtcp2-wolfssl.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ngtcp2-wolfssl-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}

diff --git a/.github/workflows/proselint.yml b/.github/workflows/proselint.yml
index c7b32ccae046634dbe5df30596c9da7ce7872f46..7f723dec0d1271b35e43ded2dab0c86b1453aba9 100644 (file)
--- a/.github/workflows/proselint.yml
+++ b/.github/workflows/proselint.yml
@@ -23,6 +23,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
index c9fb48ca66931b458320486afb699aa1b57a08a7..13e2f007408573ce14f3a5311778545ecf515a70 100644 (file)
--- a/.github/workflows/reuse.yml
+++ b/.github/workflows/reuse.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
index 4a983ab29f9ce471cd455dca3f15d0f572c38d01..ee447c799ff78cbd950a0697de516772ecda59a4 100644 (file)
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -21,10 +21,11 @@ on:
     - '**.1'
     - '.github/**'
 
+permissions: {}
+
 jobs:
   check:
     runs-on: ubuntu-latest
-
     steps:
     - uses: actions/checkout@v2
 

diff --git a/.github/workflows/torture.yml b/.github/workflows/torture.yml
index 58353fd3577b512a52a24b762730bcbf0da232c5..4c9a789198064df75dbace07807593c8867e2138 100644 (file)
--- a/.github/workflows/torture.yml
+++ b/.github/workflows/torture.yml
@@ -18,6 +18,8 @@ concurrency:
   group: torture-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}

diff --git a/.github/workflows/wolfssl.yml b/.github/workflows/wolfssl.yml
index e41434f23a0f8069249763bd47caae9e1b8cdc9a..f91057372a4079b0ec455c569dc921f74556327f 100644 (file)
--- a/.github/workflows/wolfssl.yml
+++ b/.github/workflows/wolfssl.yml
@@ -18,6 +18,8 @@ concurrency:
   group: wolfssl-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}