Commit b29b9e8e by nathannaveen

chore: Set permissions for GitHub actions

 Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: nathannaveen <42319948+nathannaveen@users.noreply.github.com>
parent 3847522e
...@@ -6,6 +6,9 @@ on: ...@@ -6,6 +6,9 @@ on:
schedule: schedule:
- cron: '15 4 * * *' - cron: '15 4 * * *'
permissions:
contents: read
jobs: jobs:
# Run our nightly builds. We build a matrix with the various build # Run our nightly builds. We build a matrix with the various build
# targets and their details. Then we build either in a docker container # targets and their details. Then we build either in a docker container
......
...@@ -8,8 +8,15 @@ on: ...@@ -8,8 +8,15 @@ on:
env: env:
docker-registry: ghcr.io docker-registry: ghcr.io
permissions:
contents: read
jobs: jobs:
analyze: analyze:
permissions:
actions: read # for github/codeql-action/init to get workflow details
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/analyze to upload SARIF results
name: Analyze name: Analyze
runs-on: ubuntu-latest runs-on: ubuntu-latest
......
...@@ -10,6 +10,9 @@ env: ...@@ -10,6 +10,9 @@ env:
docker-registry: ghcr.io docker-registry: ghcr.io
docker-config-path: source/ci/docker docker-config-path: source/ci/docker
permissions:
contents: read
jobs: jobs:
# Run our nightly builds. We build a matrix with the various build # Run our nightly builds. We build a matrix with the various build
# targets and their details. Then we build either in a docker container # targets and their details. Then we build either in a docker container
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment