From 546370c9e778d99e7176641123e5cc1d0b62acab Mon Sep 17 00:00:00 2001 From: Joyce Date: Mon, 13 Mar 2023 08:14:35 -0300 Subject: [PATCH] Set minimal permissions to Github Workflows (#3972) --- .github/workflows/cifuzz.yml | 4 ++++ .github/workflows/codeql-analysis.yml | 5 +++++ .github/workflows/labeler.yml | 2 ++ .github/workflows/macos.yml | 3 +++ .github/workflows/publish_documentation.yml | 3 +++ .github/workflows/ubuntu.yml | 6 ++++++ .github/workflows/windows.yml | 3 +++ 7 files changed, 26 insertions(+) diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index f111ccdc92..0fd355bce5 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -1,5 +1,9 @@ name: CIFuzz on: [pull_request] + +permissions: + contents: read + jobs: Fuzzing: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7ba83ac1c7..9a87e828d1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -10,6 +10,9 @@ on: schedule: - cron: '0 19 * * 1' workflow_dispatch: + +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} @@ -19,6 +22,8 @@ jobs: CodeQL-Build: runs-on: ubuntu-latest + permissions: + security-events: write steps: - name: Checkout repository diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 66cb7eb348..11925e1af0 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -4,6 +4,8 @@ on: pull_request_target: types: [opened, synchronize] +permissions: {} + jobs: label: permissions: diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index ed867f45fe..b2cb429abd 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -9,6 +9,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/publish_documentation.yml b/.github/workflows/publish_documentation.yml index 65c42a74e0..f5e5c2c754 100644 --- a/.github/workflows/publish_documentation.yml +++ b/.github/workflows/publish_documentation.yml @@ -10,6 +10,9 @@ on: - docs/examples/** workflow_dispatch: +permissions: + contents: read + # we don't want to have concurrent jobs, and we don't want to cancel running jobs to avoid broken publications concurrency: group: documentation diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index 52e7534366..7a80c3ee61 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -8,6 +8,9 @@ on: - release/* pull_request: workflow_dispatch: + +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} @@ -102,6 +105,9 @@ jobs: ci_test_coverage: runs-on: ubuntu-latest container: ghcr.io/nlohmann/json-ci:v2.4.0 + permissions: + contents: read + checks: write steps: - uses: actions/checkout@v3 - name: Run CMake diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 00bd337da9..f4d4152272 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -9,6 +9,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} cancel-in-progress: true