Skip to content

Commit

Permalink
Add explicit security permissions to each github action
Browse files Browse the repository at this point in the history
Signed-off-by: Nigel Jones <[email protected]>
  • Loading branch information
planetf1 committed Apr 19, 2024
1 parent 34fb3d3 commit c0aa784
Show file tree
Hide file tree
Showing 8 changed files with 29 additions and 7 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/android.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: android build

permissions:
contents: read

on: [ push, pull_request ]

jobs:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/apple.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: apple build

permissions:
contents: read

on: [ push, pull_request ]

jobs:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/release-test.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@
name: Release tests

permissions:
contents: read

# Trigger oqs-provider release tests.
# Runs whenever a release is published, or when a commit message ends with "[trigger downstream]"
# When triggered by a release, the liboqs release tag and the provider "<release tag>-tracker" branch are used.
# When triggered by a commit message, the triggering liboqs branch and the provider "<liboqs branch>-tracker" branch are used.
# If the tracker branch does not exist, the downstream pipeline should detect it and run on the main branch instead.

on:
push:
release:
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Scorecard supply-chain security

permissions:
contents: read
# needed to allow a badge to be created
# ie [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}/badge)](https://securityscorecards.dev/viewer/?uri=github.com/{owner}/{repo})
id-token: write
security-events: write
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
Expand All @@ -15,9 +18,6 @@ on:
branches: [ "main" ]
pull_request:

# Declare default permissions as read only.
permissions: read-all

jobs:
analysis:
name: Scorecard analysis
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/unix.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: Linux and MacOS tests

permissions:
contents: read

on: [ push, pull_request ]

jobs:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/weekly.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: Weekly extended tests

permissions:
contents: read

on:
schedule:
- cron: "5 0 * * 0"
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/windows.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: Windows tests

permissions:
contents: read

on: [ push, pull_request ]

jobs:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/zephyr.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: Zephyr tests

permissions:
contents: read

on: [push, pull_request]

jobs:
Expand Down

0 comments on commit c0aa784

Please sign in to comment.