From 311df6bb0f861154e6a27144c226c805c7554a94 Mon Sep 17 00:00:00 2001 From: Alex Date: Mon, 26 Sep 2022 15:52:46 +0100 Subject: patch 9.0.0593: CI actions have too many permissions Problem: CI actions have too many permissions. Solution: Restrict permissions to what is required. (closes #11223) --- .github/workflows/ci.yml | 3 +++ .github/workflows/codeql-analysis.yml | 7 +++++++ .github/workflows/coverity.yml | 3 +++ 3 files changed, 13 insertions(+) (limited to '.github') diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6c1b35953..c9889498e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +permissions: + contents: read # to fetch code (actions/checkout) + jobs: linux: runs-on: ubuntu-20.04 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index efb9e6699..efd91a4de 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -21,8 +21,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +permissions: + contents: read # to fetch code (actions/checkout) + jobs: analyze: + permissions: + contents: read # to fetch code (actions/checkout) + security-events: write # (github/codeql-action/autobuild) + name: Analyze runs-on: ubuntu-latest diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index ce21ab262..9cbd34b40 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -4,6 +4,9 @@ on: - cron: '42 0 * * *' # Run once per day, to avoid Coverity's submission limits workflow_dispatch: +permissions: + contents: read # to fetch code (actions/checkout) + jobs: scan: runs-on: ubuntu-20.04 -- cgit v1.2.1