From: Diogo Teles Sant'Anna <diogoteles@google.com>
Date: Wed, 16 Nov 2022 14:55:33 +0000 (-0300)
Subject: GHA: clarify workflows permissions, set least possible privilege
X-Git-Tag: curl-7_87_0~76
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a2f5a4ca6f2cd1b6d10a46e8710d85ca2bc2dba9;p=thirdparty%2Fcurl.git

GHA: clarify workflows permissions, set least possible privilege

Set top-level permissions to None on all workflows, setting per-job
permissions. This avoids that new jobs inherit unwanted permissions.

Discussion: https://curl.se/mail/lib-2022-11/0028.html

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Closes #9928
---

diff --git a/.github/workflows/appveyor-status.yml b/.github/workflows/appveyor-status.yml
index 8202a7a76c..f2bdc32cdf 100644
--- a/.github/workflows/appveyor-status.yml
+++ b/.github/workflows/appveyor-status.yml
@@ -11,13 +11,14 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.sha }}-${{ github.event.target_url }}
   cancel-in-progress: true
 
-permissions:
-  statuses: write
+permissions: {}
 
 jobs:
   split:
     runs-on: ubuntu-latest
     if: ${{ github.event.sender.login == 'appveyor[bot]' }}
+    permissions:
+      statuses: write
     steps:
       - name: Create individual AppVeyor build statuses
         if: ${{ github.event.sha && github.event.target_url }}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 1d2792242a..674d1a5c98 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -18,12 +18,13 @@ on:
 concurrency:
   group: ${{ github.workflow }}
 
-permissions:
-  security-events: write
+permissions: {}
 
 jobs:
   codeql:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
     - name: Checkout repository
       uses: actions/checkout@v3
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index ca07fa699b..5a105307cb 100644
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -17,6 +17,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   fuzzing:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/hacktoberfest-accepted.yml b/.github/workflows/hacktoberfest-accepted.yml
index 59aca12188..5a326539ff 100644
--- a/.github/workflows/hacktoberfest-accepted.yml
+++ b/.github/workflows/hacktoberfest-accepted.yml
@@ -14,16 +14,17 @@ concurrency:
   # this should not run in parallel, so just run one at a time
   group: ${{ github.workflow }}
 
-permissions:
-  # requires issues AND pull-requests write permissions to edit labels on PRs!
-  issues: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   # add hacktoberfest-accepted label to PRs opened starting from September 30th
   # till November 1st which are closed via commit reference from master branch.
   merged:
     runs-on: ubuntu-latest
+    permissions:
+      # requires issues AND pull-requests write permissions to edit labels on PRs!
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v3
         with:
diff --git a/.github/workflows/linkcheck.yml b/.github/workflows/linkcheck.yml
index 9ee7f04e10..295384afb1 100644
--- a/.github/workflows/linkcheck.yml
+++ b/.github/workflows/linkcheck.yml
@@ -23,6 +23,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   # Docs: https://github.com/marketplace/actions/markdown-link-check
   check:
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 4574548206..92fed1ff71 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -17,6 +17,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index ac391615d2..4d4847fd07 100644
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -17,6 +17,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}
diff --git a/.github/workflows/ngtcp2-gnutls.yml b/.github/workflows/ngtcp2-gnutls.yml
index bec3851ba0..96e21a49bc 100644
--- a/.github/workflows/ngtcp2-gnutls.yml
+++ b/.github/workflows/ngtcp2-gnutls.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ngtcp2-gnutls-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}
diff --git a/.github/workflows/ngtcp2-wolfssl.yml b/.github/workflows/ngtcp2-wolfssl.yml
index e3d263c006..15de87ae7f 100644
--- a/.github/workflows/ngtcp2-wolfssl.yml
+++ b/.github/workflows/ngtcp2-wolfssl.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ngtcp2-wolfssl-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}
diff --git a/.github/workflows/proselint.yml b/.github/workflows/proselint.yml
index c7b32ccae0..7f723dec0d 100644
--- a/.github/workflows/proselint.yml
+++ b/.github/workflows/proselint.yml
@@ -23,6 +23,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
index c9fb48ca66..13e2f00740 100644
--- a/.github/workflows/reuse.yml
+++ b/.github/workflows/reuse.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml
index 4a983ab29f..ee447c799f 100644
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -21,10 +21,11 @@ on:
     - '**.1'
     - '.github/**'
 
+permissions: {}
+
 jobs:
   check:
     runs-on: ubuntu-latest
-
     steps:
     - uses: actions/checkout@v2
 
diff --git a/.github/workflows/torture.yml b/.github/workflows/torture.yml
index 58353fd357..4c9a789198 100644
--- a/.github/workflows/torture.yml
+++ b/.github/workflows/torture.yml
@@ -18,6 +18,8 @@ concurrency:
   group: torture-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}
diff --git a/.github/workflows/wolfssl.yml b/.github/workflows/wolfssl.yml
index e41434f23a..f91057372a 100644
--- a/.github/workflows/wolfssl.yml
+++ b/.github/workflows/wolfssl.yml
@@ -18,6 +18,8 @@ concurrency:
   group: wolfssl-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   autotools:
     name: ${{ matrix.build.name }}