From 9cda44f443e3734c4941f4e44a262d0dcbacda69 Mon Sep 17 00:00:00 2001 From: naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Fri, 27 May 2022 00:32:28 +0000 Subject: [PATCH] chore: Set permissions for GitHub actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/release.yml | 7 +++++++ .github/workflows/test.yml | 3 +++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0f9991c0..e5c557dc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,9 +5,14 @@ on: tags: - "v*.*.*" +permissions: + contents: read + jobs: release: + permissions: + contents: write # for softprops/action-gh-release to create GitHub release name: Build release binaries runs-on: ${{ matrix.os }} strategy: @@ -35,6 +40,8 @@ jobs: build/c/shell.c release-windows: + permissions: + contents: write # for softprops/action-gh-release to create GitHub release name: Build release binaries for windows runs-on: windows-latest steps: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 71819468..63c90f7c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,9 @@ name: Test on: [push, pull_request] +permissions: + contents: read + jobs: test-posix: