diff options
| author | naveen <172697+naveensrinivasan@users.noreply.github.com> | 2022-05-03 01:03:35 +0000 |
|---|---|---|
| committer | naveen <172697+naveensrinivasan@users.noreply.github.com> | 2022-05-03 01:03:35 +0000 |
| commit | 66f41fd85a8cbcebe5b05feb63a079e131a54438 (patch) | |
| tree | 5d53c2e278a09fd3a150bc1bfd3886083651d68d /.github/workflows | |
| parent | 7236360c1c5d1f45df7766a33c7db1f7659d857c (diff) | |
| download | ATCD-66f41fd85a8cbcebe5b05feb63a079e131a54438.tar.gz | |
chore: Set permissions for GitHub actions
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
Diffstat (limited to '.github/workflows')
| -rw-r--r-- | .github/workflows/face.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/fuzz.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/linux.yml | 7 | ||||
| -rw-r--r-- | .github/workflows/macosx.yml | 3 |
4 files changed, 16 insertions, 0 deletions
diff --git a/.github/workflows/face.yml b/.github/workflows/face.yml index f67073b9151..5e244a5a409 100644 --- a/.github/workflows/face.yml +++ b/.github/workflows/face.yml @@ -11,6 +11,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build: strategy: diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 42002aeb592..94e9934846d 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -11,6 +11,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index e5a50b5548f..fcc2080bbd8 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -11,8 +11,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/analyze to upload SARIF results strategy: fail-fast: false matrix: diff --git a/.github/workflows/macosx.yml b/.github/workflows/macosx.yml index f344f7d66c7..26699f42c46 100644 --- a/.github/workflows/macosx.yml +++ b/.github/workflows/macosx.yml @@ -11,6 +11,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build: strategy: |