From 45c8b67cdb7ef96852081c476f0d8dba568e9d57 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Fri, 15 Apr 2022 14:51:52 +0000 Subject: [PATCH] Set permissions for GitHub actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/ci.yml | 5 +++++ .github/workflows/post-release.yml | 5 +++++ .github/workflows/rust-next.yml | 3 +++ .github/workflows/spelling.yml | 3 +++ 4 files changed, 16 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4e106e3b..424d2e64 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,8 +5,13 @@ on: branches: [master] schedule: - cron: '3 3 3 * *' +permissions: + contents: read + jobs: ci: + permissions: + contents: none name: CI needs: [test, check, docs, rustfmt, clippy] runs-on: ubuntu-latest diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml index ee516150..e7334fe1 100644 --- a/.github/workflows/post-release.yml +++ b/.github/workflows/post-release.yml @@ -3,8 +3,13 @@ on: push: tags: - "v*" +permissions: + contents: read + jobs: create-release: + permissions: + contents: write # for actions/create-release to create a release name: create-release runs-on: ubuntu-latest outputs: diff --git a/.github/workflows/rust-next.yml b/.github/workflows/rust-next.yml index 50a46298..d3866f2d 100644 --- a/.github/workflows/rust-next.yml +++ b/.github/workflows/rust-next.yml @@ -2,6 +2,9 @@ name: rust-next on: schedule: - cron: '3 3 3 * *' +permissions: + contents: read + jobs: test: name: Test diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index 8d296517..3eac2073 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -1,6 +1,9 @@ name: Spelling on: [pull_request] +permissions: + contents: read + jobs: spelling: name: Spell Check with Typos