ci: set minimal permissions on GitHub Actions

Change made by setting top-level read-only permisisons, and any
other necessary permissions set as job-level.

Closes #1421

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

3 files changed, 12 insertions, 0 deletions

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 99ec32be..b031e045 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,6 +25,8 @@ on:
       - 'whatsnew*'
       - 'LICENSE'
 
+permissions: read-all
+
 jobs:
   linux-cmake-job:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index e7ef4776..6c9b1828 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -11,6 +11,7 @@ on:
   push:
     branches:
       - master
+permisisons: read-all
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
index 8f6c7b72..006daed7 100644
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@@ -6,8 +6,13 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 jobs:
   coverage-job:
+    permissions:
+      checks: write  # for coverallsapp/github-action to create new checks
+      contents: read  # for actions/checkout to fetch code
     runs-on: ubuntu-18.04
     steps:
       - uses: actions/checkout@v2.0.0
@@ -49,6 +54,8 @@ jobs:
           name: coverage-build
           path: build
   abi-job:
+    permissions:
+      contents: write # for Git to git push
     runs-on: ubuntu-18.04
     ## TODO: use docker image, but for now this is not possible without hacks
     ## due to even public registry require some authentication:
@@ -112,6 +119,8 @@ jobs:
           path: /tmp/le-abi-root/work/abi-check
 
   doxygen-job:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-18.04
     strategy:
       fail-fast: false