From 023eb3380d09f916a53c54eb86670d8c5db5c6e6 Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Tue, 31 May 2022 16:23:12 -0500 Subject: [PATCH] chore: Set permissions for GitHub actions (#2496) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/android.yml | 5 +++++ .github/workflows/cmake.yml | 3 +++ .github/workflows/linux.yml | 5 +++++ .github/workflows/linux_examples.yml | 3 +++ .github/workflows/macos.yml | 5 +++++ .github/workflows/windows.yml | 5 +++++ .github/workflows/windows_examples.yml | 3 +++ 7 files changed, 29 insertions(+) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index 39759dae..4547bd60 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -16,8 +16,13 @@ on: release: types: [published] +permissions: + contents: read + jobs: build: + permissions: + contents: write # for actions/upload-release-asset to upload release asset runs-on: windows-latest strategy: fail-fast: false diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index 6e2b11e8..fc2885a9 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -23,6 +23,9 @@ env: # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.) BUILD_TYPE: Release +permissions: + contents: read + jobs: build_windows: name: Windows Build diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 15109e90..c7448241 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -15,8 +15,13 @@ on: release: types: [published] +permissions: + contents: read + jobs: build: + permissions: + contents: write # for actions/upload-release-asset to upload release asset runs-on: ubuntu-latest strategy: fail-fast: false diff --git a/.github/workflows/linux_examples.yml b/.github/workflows/linux_examples.yml index fc56b4ad..3084af05 100644 --- a/.github/workflows/linux_examples.yml +++ b/.github/workflows/linux_examples.yml @@ -14,6 +14,9 @@ on: - 'examples/**' - '.github/workflows/linux_examples.yml' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index c98c3a4d..53588dff 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -15,8 +15,13 @@ on: release: types: [published] +permissions: + contents: read + jobs: build: + permissions: + contents: write # for actions/upload-release-asset to upload release asset runs-on: macos-latest env: diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 34d2db5f..4d6357cc 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -15,8 +15,13 @@ on: release: types: [published] +permissions: + contents: read + jobs: build: + permissions: + contents: write # for actions/upload-release-asset to upload release asset runs-on: windows-latest strategy: fail-fast: false diff --git a/.github/workflows/windows_examples.yml b/.github/workflows/windows_examples.yml index 0309a566..13627399 100644 --- a/.github/workflows/windows_examples.yml +++ b/.github/workflows/windows_examples.yml @@ -14,6 +14,9 @@ on: - 'examples/**' - '.github/workflows/windows_examples.yml' +permissions: + contents: read + jobs: build: runs-on: windows-latest