chore: Set permissions for GitHub actions

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
2022-04-27 01:37:20 +00:00
parent fc743b1b52
commit c6a7aa08c7
4 changed files with 16 additions and 0 deletions
--- a/.github/workflows/build-preview.yml
+++ b/.github/workflows/build-preview.yml
@@ -5,6 +5,9 @@ on:
    branches:
      - main

+permissions:
+  contents: read
+
 jobs:
  build-preview:
    runs-on: ubuntu-latest
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,6 +5,9 @@ on:
    branches:
      - main

+permissions:
+  contents: read
+
 jobs:
  publish-npm:
    runs-on: ubuntu-latest
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -10,8 +10,15 @@ on:
  schedule:
    - cron: '0 0 * * 0'  # At 00:00 on Sunday

+permissions:
+  contents: read
+
 jobs:
  codeql:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
    runs-on: ubuntu-latest

    steps:
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -11,6 +11,9 @@ on:
 env:
  CI: true

+permissions:
+  contents: read
+
 jobs:
  pretest:
    name: Pre-Test