From c0aa78439753399ed7cb22c159c815d70cfa464f Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Fri, 19 Apr 2024 11:15:10 +0100 Subject: [PATCH] Add explicit security permissions to each github action Signed-off-by: Nigel Jones --- .github/workflows/android.yml | 3 +++ .github/workflows/apple.yml | 3 +++ .github/workflows/release-test.yml | 4 ++++ .github/workflows/scorecard.yml | 14 +++++++------- .github/workflows/unix.yml | 3 +++ .github/workflows/weekly.yml | 3 +++ .github/workflows/windows.yml | 3 +++ .github/workflows/zephyr.yml | 3 +++ 8 files changed, 29 insertions(+), 7 deletions(-) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index a0414bee0..bf3891c4d 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -1,5 +1,8 @@ name: android build +permissions: + contents: read + on: [ push, pull_request ] jobs: diff --git a/.github/workflows/apple.yml b/.github/workflows/apple.yml index 1579ad5dc..570d4c668 100644 --- a/.github/workflows/apple.yml +++ b/.github/workflows/apple.yml @@ -1,5 +1,8 @@ name: apple build +permissions: + contents: read + on: [ push, pull_request ] jobs: diff --git a/.github/workflows/release-test.yml b/.github/workflows/release-test.yml index 95d6f0076..af9a1d4bc 100644 --- a/.github/workflows/release-test.yml +++ b/.github/workflows/release-test.yml @@ -1,10 +1,14 @@ name: Release tests +permissions: + contents: read + # Trigger oqs-provider release tests. # Runs whenever a release is published, or when a commit message ends with "[trigger downstream]" # When triggered by a release, the liboqs release tag and the provider "-tracker" branch are used. # When triggered by a commit message, the triggering liboqs branch and the provider "-tracker" branch are used. # If the tracker branch does not exist, the downstream pipeline should detect it and run on the main branch instead. + on: push: release: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1230f18df..fdf560032 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,8 +1,11 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - name: Scorecard supply-chain security + +permissions: + contents: read + # needed to allow a badge to be created + # ie [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}/badge)](https://securityscorecards.dev/viewer/?uri=github.com/{owner}/{repo}) + id-token: write + security-events: write on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection @@ -15,9 +18,6 @@ on: branches: [ "main" ] pull_request: - # Declare default permissions as read only. -permissions: read-all - jobs: analysis: name: Scorecard analysis diff --git a/.github/workflows/unix.yml b/.github/workflows/unix.yml index ed3607f6d..47c399337 100644 --- a/.github/workflows/unix.yml +++ b/.github/workflows/unix.yml @@ -1,5 +1,8 @@ name: Linux and MacOS tests +permissions: + contents: read + on: [ push, pull_request ] jobs: diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml index a64229fdf..26494c865 100644 --- a/.github/workflows/weekly.yml +++ b/.github/workflows/weekly.yml @@ -1,5 +1,8 @@ name: Weekly extended tests +permissions: + contents: read + on: schedule: - cron: "5 0 * * 0" diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 85619a138..a409c6296 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,5 +1,8 @@ name: Windows tests +permissions: + contents: read + on: [ push, pull_request ] jobs: diff --git a/.github/workflows/zephyr.yml b/.github/workflows/zephyr.yml index 30490eca6..d18d148e8 100644 --- a/.github/workflows/zephyr.yml +++ b/.github/workflows/zephyr.yml @@ -1,5 +1,8 @@ name: Zephyr tests +permissions: + contents: read + on: [push, pull_request] jobs: