From dbb8ddce94b7bfe416dd88b6ea286538940d9d38 Mon Sep 17 00:00:00 2001 From: Jason Gerecke Date: Thu, 30 Nov 2023 07:47:43 -0800 Subject: [PATCH] github: Minimize permissions granted to automated workflows / jobs Jobs that use the GITHUB_TOKEN to perform sensitive actions on behalf of a real user may be granted a range of permissions. Instead of granting blanket permissions to read and write "all" APIs, we should really limit the permissions what any individual workflow or job can do. This commit sets the default permissions for each workflow to "contents: read", which allows jobs to only read from the repository. Link: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions Signed-off-by: Jason Gerecke --- .github/workflows/black.yml | 3 +++ .github/workflows/build.yml | 3 +++ .github/workflows/coverity.yml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml index ff250367..62941bb0 100644 --- a/.github/workflows/black.yml +++ b/.github/workflows/black.yml @@ -1,5 +1,8 @@ on: [ push, pull_request ] +permissions: + contents: read + jobs: python-black: runs-on: ubuntu-20.04 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8c664f79..db43c6da 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,8 @@ on: [ push, pull_request ] +permissions: + contents: read + env: CFLAGS: -Werror UBUNTU_PACKAGES: | diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index cda14052..3720800f 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -3,6 +3,9 @@ on: - cron: '0 0 1,15 * *' workflow_dispatch: +permissions: + contents: read + env: COVERITY_SCAN_PROJECT_NAME: linuxwacom/xf86-input-wacom COVERITY_SCAN_NOTIFICATION_EMAIL: killertofu@gmail.com