Set minimal permissions to Github Workflows (#3972)

2023-03-13 08:14:35 -03:00 · 2023-03-13 08:14:35 -03:00 · 546370c9e7
parent bbe337c3a3
commit 546370c9e7
7 changed files with 26 additions and 0 deletions
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@ -1,5 +1,9 @@
 name: CIFuzz
 on: [pull_request]
+
+permissions:
+  contents: read
+
 jobs:
  Fuzzing:
    runs-on: ubuntu-latest
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -10,6 +10,9 @@ on:
  schedule:
    - cron: '0 19 * * 1'
  workflow_dispatch:
+  
+permissions:
+  contents: read

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
@ -19,6 +22,8 @@ jobs:
  CodeQL-Build:

    runs-on: ubuntu-latest
+    permissions:
+      security-events: write

    steps:
    - name: Checkout repository
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@ -4,6 +4,8 @@ on:
  pull_request_target:
    types: [opened, synchronize]

+permissions: {}
+
 jobs:
  label:
    permissions:
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -9,6 +9,9 @@ on:
  pull_request:
  workflow_dispatch:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
  cancel-in-progress: true
--- a/.github/workflows/publish_documentation.yml
+++ b/.github/workflows/publish_documentation.yml
@ -10,6 +10,9 @@ on:
      - docs/examples/**
  workflow_dispatch:

+permissions:
+  contents: read
+
 # we don't want to have concurrent jobs, and we don't want to cancel running jobs to avoid broken publications
 concurrency:
  group: documentation
--- a/.github/workflows/ubuntu.yml
+++ b/.github/workflows/ubuntu.yml
@ -8,6 +8,9 @@ on:
      - release/*
  pull_request:
  workflow_dispatch:
+  
+permissions:
+  contents: read

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
@ -102,6 +105,9 @@ jobs:
  ci_test_coverage:
    runs-on: ubuntu-latest
    container: ghcr.io/nlohmann/json-ci:v2.4.0
+    permissions:
+      contents: read
+      checks: write
    steps:
      - uses: actions/checkout@v3
      - name: Run CMake
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@ -9,6 +9,9 @@ on:
  pull_request:
  workflow_dispatch:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
  cancel-in-progress: true