From f45b3b373418751d8c8aa7d3df78f3e1ebdd51f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Linus=20F=C3=A4rnstrand?= Date: Thu, 22 Aug 2024 09:31:06 +0200 Subject: [PATCH] Add top level `permissions` to all Github Actions workflows The default permission on the repository is already set to read only. So in practice this makes no difference. But this makes that more explicit, and less relying on the repository being correctly configured. This also makes security scanning tools such as OpenSSF scorecard happier about the overall security of our repository. --- .github/workflows/android-app.yml | 3 +++ .github/workflows/android-audit.yml | 3 +++ .github/workflows/android-kotlin-format-check.yml | 3 +++ .github/workflows/android-static-analysis.yml | 3 +++ .github/workflows/android-xml-format-check.yml | 3 +++ .github/workflows/cargo-audit.yml | 6 ++++-- .github/workflows/cargo-vendor.yml | 3 +++ .github/workflows/clippy.yml | 3 +++ .github/workflows/daemon.yml | 3 +++ .github/workflows/desktop-e2e.yml | 3 +++ .github/workflows/frontend.yml | 2 ++ .github/workflows/ios-end-to-end-tests-api.yml | 10 ++++++---- .../workflows/ios-end-to-end-tests-merge-to-main.yml | 10 ++++++---- .github/workflows/ios-end-to-end-tests-nightly.yml | 3 +++ .github/workflows/ios-screenshots-creation.yml | 3 +++ .github/workflows/ios-screenshots-tests.yml | 3 +++ .github/workflows/ios-validate-build-schemas.yml | 3 +++ .github/workflows/ios.yml | 3 +++ .github/workflows/proto-format-check.yml | 3 +++ .github/workflows/rust-supply-chain.yml | 3 +++ .github/workflows/rust-unused-dependencies.yml | 3 +++ .github/workflows/rustfmt.yml | 3 +++ .github/workflows/testframework-clippy.yml | 3 +++ .github/workflows/testframework-rust-supply-chain.yml | 3 +++ .github/workflows/testframework-rustfmt.yml | 3 +++ .github/workflows/testframework.yml | 3 +++ .github/workflows/translations-converter.yml | 3 +++ .github/workflows/translations.yml | 3 +++ 28 files changed, 90 insertions(+), 10 deletions(-) diff --git a/.github/workflows/android-app.yml b/.github/workflows/android-app.yml index 93532d7acc88..5eedfb158a0b 100644 --- a/.github/workflows/android-app.yml +++ b/.github/workflows/android-app.yml @@ -49,6 +49,9 @@ on: # Build if main is updated to ensure up-to-date caches are available push: branches: [main] + +permissions: {} + jobs: prepare: name: Prepare diff --git a/.github/workflows/android-audit.yml b/.github/workflows/android-audit.yml index c0a0ca8f78b3..1f45285aeef2 100644 --- a/.github/workflows/android-audit.yml +++ b/.github/workflows/android-audit.yml @@ -21,6 +21,9 @@ on: description: Override container image type: string required: false + +permissions: {} + jobs: prepare: name: Prepare diff --git a/.github/workflows/android-kotlin-format-check.yml b/.github/workflows/android-kotlin-format-check.yml index 4eb6d54a0142..7fce9a108fe0 100644 --- a/.github/workflows/android-kotlin-format-check.yml +++ b/.github/workflows/android-kotlin-format-check.yml @@ -9,6 +9,9 @@ on: description: Override container image type: string required: false + +permissions: {} + jobs: prepare: name: Prepare diff --git a/.github/workflows/android-static-analysis.yml b/.github/workflows/android-static-analysis.yml index cc0fa5b62e34..a693740f4b49 100644 --- a/.github/workflows/android-static-analysis.yml +++ b/.github/workflows/android-static-analysis.yml @@ -13,6 +13,9 @@ on: # Github Actions enabled, so these don't go unnoticed. # https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs - cron: '20 6 * * *' + +permissions: {} + jobs: mobsfscan: name: Code scanning using mobsfscan diff --git a/.github/workflows/android-xml-format-check.yml b/.github/workflows/android-xml-format-check.yml index d051cdbf894c..4c4a1db46269 100644 --- a/.github/workflows/android-xml-format-check.yml +++ b/.github/workflows/android-xml-format-check.yml @@ -6,6 +6,9 @@ on: - .github/workflows/android-xml-format-check.yml - android/**/*.xml workflow_dispatch: + +permissions: {} + jobs: prepare: name: Prepare diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml index 3eabcdb4e05c..e3f44a3b96cb 100644 --- a/.github/workflows/cargo-audit.yml +++ b/.github/workflows/cargo-audit.yml @@ -10,11 +10,13 @@ on: # At 06:20 UTC every day. Will create an issue if a CVE is found. - cron: '20 6 * * *' workflow_dispatch: + +permissions: + issues: write + jobs: audit: runs-on: ubuntu-latest - permissions: - issues: write steps: - name: Checkout repository uses: actions/checkout@v3 diff --git a/.github/workflows/cargo-vendor.yml b/.github/workflows/cargo-vendor.yml index 64bd08328f13..14d2da77903d 100644 --- a/.github/workflows/cargo-vendor.yml +++ b/.github/workflows/cargo-vendor.yml @@ -11,6 +11,9 @@ on: - Cargo.lock - '**/Cargo.toml' workflow_dispatch: + +permissions: {} + jobs: cargo-vendor: runs-on: ubuntu-latest diff --git a/.github/workflows/clippy.yml b/.github/workflows/clippy.yml index a922f647854f..55de67775339 100644 --- a/.github/workflows/clippy.yml +++ b/.github/workflows/clippy.yml @@ -7,6 +7,9 @@ on: - clippy.toml - '**/*.rs' workflow_dispatch: + +permissions: {} + jobs: prepare-android: name: Prepare Android container diff --git a/.github/workflows/daemon.yml b/.github/workflows/daemon.yml index 723d32c48752..e8e3ee1a7a3a 100644 --- a/.github/workflows/daemon.yml +++ b/.github/workflows/daemon.yml @@ -33,6 +33,9 @@ on: description: Override container image type: string required: false + +permissions: {} + jobs: prepare-linux: runs-on: ubuntu-latest diff --git a/.github/workflows/desktop-e2e.yml b/.github/workflows/desktop-e2e.yml index 93b79401a39f..580eb0c6ebcc 100644 --- a/.github/workflows/desktop-e2e.yml +++ b/.github/workflows/desktop-e2e.yml @@ -25,6 +25,9 @@ on: default: '' required: false type: string + +permissions: {} + jobs: prepare-matrices: name: Prepare virtual machines diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index 92edc31599a5..fe498ef83f6f 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -8,6 +8,8 @@ on: - mullvad-management-interface/proto/** workflow_dispatch: +permissions: {} + jobs: check-frontend: strategy: diff --git a/.github/workflows/ios-end-to-end-tests-api.yml b/.github/workflows/ios-end-to-end-tests-api.yml index b3d789ae7932..d70ca2b2ec71 100644 --- a/.github/workflows/ios-end-to-end-tests-api.yml +++ b/.github/workflows/ios-end-to-end-tests-api.yml @@ -2,12 +2,14 @@ name: iOS end-to-end API tests on: workflow_dispatch: + +permissions: + contents: read + issues: write + pull-requests: write + jobs: reuse-e2e-workflow: - permissions: - contents: read - issues: write - pull-requests: write uses: ./.github/workflows/ios-end-to-end-tests.yml with: arg_tests_json_key: "api-tests" diff --git a/.github/workflows/ios-end-to-end-tests-merge-to-main.yml b/.github/workflows/ios-end-to-end-tests-merge-to-main.yml index be91e2789c48..738cd654f3bf 100644 --- a/.github/workflows/ios-end-to-end-tests-merge-to-main.yml +++ b/.github/workflows/ios-end-to-end-tests-merge-to-main.yml @@ -10,12 +10,14 @@ on: paths: - .github/workflows/ios-end-to-end-tests*.yml - ios/** + +permissions: + contents: read + issues: write + pull-requests: write + jobs: reuse-e2e-workflow: - permissions: - contents: read - issues: write - pull-requests: write uses: ./.github/workflows/ios-end-to-end-tests.yml with: arg_tests_json_key: "pr-merge-to-main" diff --git a/.github/workflows/ios-end-to-end-tests-nightly.yml b/.github/workflows/ios-end-to-end-tests-nightly.yml index 2408b3322f28..eeb7da51f797 100644 --- a/.github/workflows/ios-end-to-end-tests-nightly.yml +++ b/.github/workflows/ios-end-to-end-tests-nightly.yml @@ -9,6 +9,9 @@ on: # Github Actions enabled, so these don't go unnoticed. # https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs - cron: '0 0 * * *' + +permissions: {} + jobs: reuse-e2e-workflow: permissions: diff --git a/.github/workflows/ios-screenshots-creation.yml b/.github/workflows/ios-screenshots-creation.yml index d4e1e28c5634..f6f9da06b328 100644 --- a/.github/workflows/ios-screenshots-creation.yml +++ b/.github/workflows/ios-screenshots-creation.yml @@ -9,6 +9,9 @@ on: - ios/Gemfile - ios/Gemfile.lock workflow_dispatch: + +permissions: {} + jobs: test: name: Take screenshots diff --git a/.github/workflows/ios-screenshots-tests.yml b/.github/workflows/ios-screenshots-tests.yml index 2c6b7341f0dd..7be181af626e 100644 --- a/.github/workflows/ios-screenshots-tests.yml +++ b/.github/workflows/ios-screenshots-tests.yml @@ -12,6 +12,9 @@ on: - ios/**/*.swift - ios/**/*.xctestplan workflow_dispatch: + +permissions: {} + jobs: test: if: github.event.pull_request.merged || github.event_name == 'workflow_dispatch' diff --git a/.github/workflows/ios-validate-build-schemas.yml b/.github/workflows/ios-validate-build-schemas.yml index 551cea16f32b..ae0610d3445f 100644 --- a/.github/workflows/ios-validate-build-schemas.yml +++ b/.github/workflows/ios-validate-build-schemas.yml @@ -14,6 +14,9 @@ on: - ios/**/*.xctestplan - Cargo.toml workflow_dispatch: + +permissions: {} + jobs: test: if: github.event.pull_request.merged == true diff --git a/.github/workflows/ios.yml b/.github/workflows/ios.yml index 078ccf2d9e89..8c0468641f2e 100644 --- a/.github/workflows/ios.yml +++ b/.github/workflows/ios.yml @@ -9,6 +9,9 @@ on: - ios/**/*.swift - ios/**/*.xctestplan workflow_dispatch: + +permissions: {} + jobs: check-formatting: name: Check formatting diff --git a/.github/workflows/proto-format-check.yml b/.github/workflows/proto-format-check.yml index e88cb3b03d67..4ca95e744f4b 100644 --- a/.github/workflows/proto-format-check.yml +++ b/.github/workflows/proto-format-check.yml @@ -5,6 +5,9 @@ on: paths: - '**/*.proto' workflow_dispatch: + +permissions: {} + jobs: check-formatting: runs-on: ubuntu-latest diff --git a/.github/workflows/rust-supply-chain.yml b/.github/workflows/rust-supply-chain.yml index 13c34a9842a1..51cd512cef61 100644 --- a/.github/workflows/rust-supply-chain.yml +++ b/.github/workflows/rust-supply-chain.yml @@ -9,6 +9,9 @@ on: - Cargo.lock - '**/*.rs' workflow_dispatch: + +permissions: {} + jobs: check-supply-chain: runs-on: ubuntu-latest diff --git a/.github/workflows/rust-unused-dependencies.yml b/.github/workflows/rust-unused-dependencies.yml index 414659bcb18a..3122ce5d03c9 100644 --- a/.github/workflows/rust-unused-dependencies.yml +++ b/.github/workflows/rust-unused-dependencies.yml @@ -11,6 +11,9 @@ on: env: # Pinning nightly just to avoid random breakage. It's fine to bump this at any time RUST_NIGHTLY_TOOLCHAIN: nightly-2024-06-06 + +permissions: {} + jobs: prepare-containers: runs-on: ubuntu-latest diff --git a/.github/workflows/rustfmt.yml b/.github/workflows/rustfmt.yml index 2968efdf4971..19c7b5331d30 100644 --- a/.github/workflows/rustfmt.yml +++ b/.github/workflows/rustfmt.yml @@ -7,6 +7,9 @@ on: - rustfmt.toml - '**/*.rs' workflow_dispatch: + +permissions: {} + jobs: check-formatting: runs-on: ubuntu-latest diff --git a/.github/workflows/testframework-clippy.yml b/.github/workflows/testframework-clippy.yml index 8f2b8f63f7ca..af0bac1aaac0 100644 --- a/.github/workflows/testframework-clippy.yml +++ b/.github/workflows/testframework-clippy.yml @@ -8,6 +8,9 @@ on: - .github/workflows/clippy-test.yml - clippy.toml workflow_dispatch: + +permissions: {} + jobs: clippy-check-test: name: Clippy linting of test workspace diff --git a/.github/workflows/testframework-rust-supply-chain.yml b/.github/workflows/testframework-rust-supply-chain.yml index 2a7a7fa44f7e..3e09ee5ed2b6 100644 --- a/.github/workflows/testframework-rust-supply-chain.yml +++ b/.github/workflows/testframework-rust-supply-chain.yml @@ -9,6 +9,9 @@ on: - 'test/**/Cargo.lock' - 'test/**/*.rs' workflow_dispatch: + +permissions: {} + jobs: check-test-framework-supply-chain: runs-on: ubuntu-latest diff --git a/.github/workflows/testframework-rustfmt.yml b/.github/workflows/testframework-rustfmt.yml index 8889653183b9..78045fc7442d 100644 --- a/.github/workflows/testframework-rustfmt.yml +++ b/.github/workflows/testframework-rustfmt.yml @@ -8,6 +8,9 @@ on: - .github/workflows/rustfmt-test.yml - rustfmt.toml workflow_dispatch: + +permissions: {} + jobs: check-formatting-test: runs-on: ubuntu-latest diff --git a/.github/workflows/testframework.yml b/.github/workflows/testframework.yml index 9e4782cc99e5..8b8e7759d55e 100644 --- a/.github/workflows/testframework.yml +++ b/.github/workflows/testframework.yml @@ -26,6 +26,9 @@ on: - '!.yamllint' - '!**/osv-scanner.toml' workflow_dispatch: + +permissions: {} + jobs: prepare-build-test-framework-linux: runs-on: ubuntu-latest diff --git a/.github/workflows/translations-converter.yml b/.github/workflows/translations-converter.yml index 4cb65d3d4f4b..15023f973c4c 100644 --- a/.github/workflows/translations-converter.yml +++ b/.github/workflows/translations-converter.yml @@ -6,6 +6,9 @@ on: - .github/workflows/translations-converter.yml - android/translations-converter/** workflow_dispatch: + +permissions: {} + jobs: check-translations: runs-on: ubuntu-latest diff --git a/.github/workflows/translations.yml b/.github/workflows/translations.yml index 136b0a2f03f8..2aacd840ec43 100644 --- a/.github/workflows/translations.yml +++ b/.github/workflows/translations.yml @@ -10,6 +10,9 @@ on: - gui/** - '!**/osv-scanner.toml' workflow_dispatch: + +permissions: {} + jobs: check-translations: runs-on: ubuntu-latest