Skip to content

Commit

Permalink
Add top level permissions to all Github Actions workflows
Browse files Browse the repository at this point in the history
The default permission on the repository is already set to read only. So
in practice this makes no difference. But this makes that more explicit,
and less relying on the repository being correctly configured.

This also makes security scanning tools such as OpenSSF scorecard
happier about the overall security of our repository.
  • Loading branch information
faern committed Aug 22, 2024
1 parent ddf60c8 commit f45b3b3
Show file tree
Hide file tree
Showing 28 changed files with 90 additions and 10 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/android-app.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@ on:
# Build if main is updated to ensure up-to-date caches are available
push:
branches: [main]

permissions: {}

jobs:
prepare:
name: Prepare
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/android-audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ on:
description: Override container image
type: string
required: false

permissions: {}

jobs:
prepare:
name: Prepare
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/android-kotlin-format-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
description: Override container image
type: string
required: false

permissions: {}

jobs:
prepare:
name: Prepare
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/android-static-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ on:
# Github Actions enabled, so these don't go unnoticed.
# https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs
- cron: '20 6 * * *'

permissions: {}

jobs:
mobsfscan:
name: Code scanning using mobsfscan
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/android-xml-format-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
- .github/workflows/android-xml-format-check.yml
- android/**/*.xml
workflow_dispatch:

permissions: {}

jobs:
prepare:
name: Prepare
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/cargo-audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,13 @@ on:
# At 06:20 UTC every day. Will create an issue if a CVE is found.
- cron: '20 6 * * *'
workflow_dispatch:

permissions:
issues: write

jobs:
audit:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/cargo-vendor.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
- Cargo.lock
- '**/Cargo.toml'
workflow_dispatch:

permissions: {}

jobs:
cargo-vendor:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/clippy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
- clippy.toml
- '**/*.rs'
workflow_dispatch:

permissions: {}

jobs:
prepare-android:
name: Prepare Android container
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/daemon.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ on:
description: Override container image
type: string
required: false

permissions: {}

jobs:
prepare-linux:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/desktop-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ on:
default: ''
required: false
type: string

permissions: {}

jobs:
prepare-matrices:
name: Prepare virtual machines
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/frontend.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ on:
- mullvad-management-interface/proto/**
workflow_dispatch:

permissions: {}

jobs:
check-frontend:
strategy:
Expand Down
10 changes: 6 additions & 4 deletions .github/workflows/ios-end-to-end-tests-api.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,14 @@
name: iOS end-to-end API tests
on:
workflow_dispatch:

permissions:
contents: read
issues: write
pull-requests: write

jobs:
reuse-e2e-workflow:
permissions:
contents: read
issues: write
pull-requests: write
uses: ./.github/workflows/ios-end-to-end-tests.yml
with:
arg_tests_json_key: "api-tests"
10 changes: 6 additions & 4 deletions .github/workflows/ios-end-to-end-tests-merge-to-main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,14 @@ on:
paths:
- .github/workflows/ios-end-to-end-tests*.yml
- ios/**

permissions:
contents: read
issues: write
pull-requests: write

jobs:
reuse-e2e-workflow:
permissions:
contents: read
issues: write
pull-requests: write
uses: ./.github/workflows/ios-end-to-end-tests.yml
with:
arg_tests_json_key: "pr-merge-to-main"
3 changes: 3 additions & 0 deletions .github/workflows/ios-end-to-end-tests-nightly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
# Github Actions enabled, so these don't go unnoticed.
# https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs
- cron: '0 0 * * *'

permissions: {}

jobs:
reuse-e2e-workflow:
permissions:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ios-screenshots-creation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
- ios/Gemfile
- ios/Gemfile.lock
workflow_dispatch:

permissions: {}

jobs:
test:
name: Take screenshots
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ios-screenshots-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ on:
- ios/**/*.swift
- ios/**/*.xctestplan
workflow_dispatch:

permissions: {}

jobs:
test:
if: github.event.pull_request.merged || github.event_name == 'workflow_dispatch'
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ios-validate-build-schemas.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ on:
- ios/**/*.xctestplan
- Cargo.toml
workflow_dispatch:

permissions: {}

jobs:
test:
if: github.event.pull_request.merged == true
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ios.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
- ios/**/*.swift
- ios/**/*.xctestplan
workflow_dispatch:

permissions: {}

jobs:
check-formatting:
name: Check formatting
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/proto-format-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on:
paths:
- '**/*.proto'
workflow_dispatch:

permissions: {}

jobs:
check-formatting:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/rust-supply-chain.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
- Cargo.lock
- '**/*.rs'
workflow_dispatch:

permissions: {}

jobs:
check-supply-chain:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/rust-unused-dependencies.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
env:
# Pinning nightly just to avoid random breakage. It's fine to bump this at any time
RUST_NIGHTLY_TOOLCHAIN: nightly-2024-06-06

permissions: {}

jobs:
prepare-containers:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/rustfmt.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
- rustfmt.toml
- '**/*.rs'
workflow_dispatch:

permissions: {}

jobs:
check-formatting:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/testframework-clippy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
- .github/workflows/clippy-test.yml
- clippy.toml
workflow_dispatch:

permissions: {}

jobs:
clippy-check-test:
name: Clippy linting of test workspace
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/testframework-rust-supply-chain.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
- 'test/**/Cargo.lock'
- 'test/**/*.rs'
workflow_dispatch:

permissions: {}

jobs:
check-test-framework-supply-chain:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/testframework-rustfmt.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
- .github/workflows/rustfmt-test.yml
- rustfmt.toml
workflow_dispatch:

permissions: {}

jobs:
check-formatting-test:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/testframework.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ on:
- '!.yamllint'
- '!**/osv-scanner.toml'
workflow_dispatch:

permissions: {}

jobs:
prepare-build-test-framework-linux:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/translations-converter.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
- .github/workflows/translations-converter.yml
- android/translations-converter/**
workflow_dispatch:

permissions: {}

jobs:
check-translations:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/translations.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
- gui/**
- '!**/osv-scanner.toml'
workflow_dispatch:

permissions: {}

jobs:
check-translations:
runs-on: ubuntu-latest
Expand Down

0 comments on commit f45b3b3

Please sign in to comment.