From 3a2c8dd4f877be7e971cc452df68bf95711e7b18 Mon Sep 17 00:00:00 2001 From: nathannaveen <42319948+nathannaveen@users.noreply.github.com> Date: Thu, 5 May 2022 01:31:24 +0000 Subject: [PATCH] chore: Set permissions for GitHub actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: nathannaveen <42319948+nathannaveen@users.noreply.github.com> --- .github/workflows/build_test.yml | 3 +++ .github/workflows/labeler.yml | 6 ++++++ .github/workflows/lint.yml | 6 ++++++ .github/workflows/release.yml | 3 +++ .github/workflows/shellcheck.yml | 3 +++ .github/workflows/test.yml | 3 +++ 6 files changed, 24 insertions(+) diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml index 6cc797b..85ca66f 100644 --- a/.github/workflows/build_test.yml +++ b/.github/workflows/build_test.yml @@ -1,5 +1,8 @@ on: [push, pull_request] name: Build Test +permissions: + contents: read + jobs: build_test_v3: strategy: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 31e78f8..218b89e 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,8 +2,14 @@ name: "Pull Request Labeler" on: - pull_request_target +permissions: + contents: read + jobs: triage: + permissions: + contents: read # for actions/labeler to determine modified files + pull-requests: write # for actions/labeler to add labels to PRs runs-on: ubuntu-latest steps: - uses: actions/labeler@v4 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 80024e0..3251245 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -4,8 +4,14 @@ on: push: pull_request: +permissions: + contents: read + jobs: golangci: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests name: lint runs-on: ubuntu-latest steps: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1637239..0d807ba 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,9 @@ on: - cron: '0 1 1 * *' # UTC 01:00 on the first day of the Month name: Release +permissions: + contents: read + jobs: release: runs-on: ubuntu-latest diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 1c4d236..04bb575 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -1,5 +1,8 @@ on: [push, pull_request] name: Shellcheck +permissions: + contents: read + jobs: shellcheck: name: Shellcheck diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 66947fd..d25aa93 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,5 +1,8 @@ on: [push, pull_request] name: Test +permissions: + contents: read + jobs: test_v3_module: strategy: